URL Private
Important: When this checkbox is unselected, the value will be sent to the user’s browser and thus [is] insecure. Private information such as passwords and confidential API keys should not be marked as private. When this checkbox is not selected, you can set the value dynamically in the editor.
(emphasis in original). It seems that “private information such as passwords and confidential API keys” should be marked as private.
Just sayin’