From the manual:
Never, ever enter usernames or passwords in to events. These will be visible in plain text in the exported Javascript, and malicious users will very quickly be able to take control of the account. If you need to connect to something like a database, write a server-side script that talks to the database, then connect to the URL of the server.
For money and gold in a platform store for Google, Apple etc then that's completely safe, stored on the user's account. C2 makes calls to the account rather than using local variables.