Since the plugin runs client-side it behaves similar to a website, meaning there are the same limitations in place in terms of hiding source code.
Generally speaking, I'd advise to consider the trade-offs and find a good balance of what should and shouldn't be included in the plugin as it can make things much more complicated.
- Avoid including security critical details such as API keys, tokens, etc. Consider asking for user input or server roundtrip
- Keep business logic on a server and have the plugin communicate via an API to your server