Anything on the client's device can be subverted, decompiled, etc., and this holds true with native code as well as PG code. So in short, put nothing out on the user's device that you wouldn't want made public. Keeping important bits on the server and never trusting your client app is a good start, but you may also need to exercise your legal rights in this regard as well should someone infringe against your copyright or IP.