Yup. In order to make parameters dynamic, you need to mark them as client safe in the API Connector.
Considering that you shouldn’t be using an API like Plaid without a secure connection, you should be fine as long as you’re on https.
Don’t expose sensitive information in the url or browser, though.