First it depends of what you want to secure.
All server connect actions are Php files that get executed so nobody will ever see their code - just the results.
This brings us to the second point what data you want the public to see?
If you are a public site then it is all fine, you should show all data as you need it on your pages as well.
However if you have restricted areas on your site, for example behind security provider login, it is also logical to secure the data feeds ( Server Connect api files) that are used.
Happily that is very easy to do by including a security provider restrict step in them as first step. So the same login as used to secure your pages with security provider is also used for the separate server connect app calls.
And everything is perfectly secured