This is an issue I’ve recently noticed as well. You can properly protect the data from being accessed by the end-users but any data sent through the API connector after being decrypted is viewable in the actual Bubble logs from the editor under Logs > Server Logs.
Not sure what the correct solution for this is.