We have developed a Google Apps Script (GAS) add-on, which is officially published on the Google Workspace Marketplace. Since the code runs entirely inside Google Workspace and does not go through any external CI/CD pipelines, we want to better understand how secure the stored data and credentials are inside the script.

Currently, our add-on contains several hardcoded credentials, including:

•Amazon SP API keys

•Amazon Ads API keys

•Database (MySQL/Cloud SQL) access credentials

•Firestore authentication credentials

Since the add-on is hosted and managed by Google, we would like to clarify:

1.Is it necessary to encrypt or obfuscate sensitive data inside the script, or does Google already ensure its protection?

2.Can the source code of a published Google Workspace add-on be accessed, extracted, or reverse-engineered by end users in any way?

3.What are the best practices for securely storing secrets in a Google Apps Script add-on?

4.Is there a recommended way to integrate with Google Cloud Secrets Manager, Firestore, or any other secure storage solution for managing sensitive credentials within an add-on?

Additionally, we previously attempted to use Properties Service to store credentials instead of hardcoding them, but it introduced some issues:

•Difficulty in debugging when dealing with stored JSON.

•Unwanted data artifacts, making it unreliable.

Given these challenges, we are looking for secure and scalable best practices to handle sensitive credentials inside a Google Apps Script add-on.

Any insights, best practices, or official documentation references would be highly appreciated.