Koithodan,

I do not see the security vulnerability in globalQuery, but I see the
issue in how you're using it.

You indicated the problem and the solution yourself:
data that is sent to the browser can be intercepted and viewed; if you
do not want these data potentially be revealed, do not send them to the
client.

Yes, the solution may involve the need to get familiar with server based
or client-server technology - all of which can be seamlessly integrated
with UserApp, e.g. with server based mapping activities, integration
activities, calling Java classes, and/or using Ajax calls.

Good luck

Wolfgang