I do not see the security vulnerability in globalQuery, but I see the
issue in how you're using it.

You indicated the problem and the solution yourself:
data that is sent to the browser can be intercepted and viewed; if you
do not want these data potentially be revealed, do not send them to the

Yes, the solution may involve the need to get familiar with server based
or client-server technology - all of which can be seamlessly integrated
with UserApp, e.g. with server based mapping activities, integration
activities, calling Java classes, and/or using Ajax calls.

Good luck