I would not recommend putting sensitive data in widgets that will be on the page, no. They are normally for display purposes and the data they contain is what they need to display something, usually to the public.
You could safely put sensitive information in the schema of a piece, that is what I would recommend. It would seem strange to put it in a widget since they are so display-oriented.
I've opened a ticket to track that. Contributions are of course welcome: