Use of global.R and data folder to keep files secure

I am a newbie to Shiny (ie not made a single .app yet!) and plan to deploy an interactive site using RStudio Connect that users would sign in with using a username and password My site would require to import a .xlsx file as a data frame, and then the .ui would filter records from it, supported by my .server code.

My current plan is to have a global.R script to do the heavy work of importing the .xlsx from a folder called 'data', and then the .ui and .server files can take things from there.

I know that if a folder called 'www' exists, then its contents are viewable by a user's browser, and thus its contents are publicly accessible (and not secure).

My question is whether my .xlsx file in the folder called 'data' is also able to be publicly viewable or downloaded in any way by a user? In effect, is the .xlsx file in the 'data' folder secure, or not?

With thanks for anyone's help in advising on a way to keep things away from prying eyes!
Nevil

Oops! Sorry for missing this, and great question!

The .xlsx file will definitely not be accessible / viewable / downloadable by a user if it is written to a ./data folder.

Here is an example: https://shiny.rstudio.com/tutorial/written-tutorial/lesson5/

If you want to justify it to yourself, you could also create a www/myfile.txt, find the URL that it is accessible at (I would presume myapp.com/myfile.txt), and then try the same for a file myotherfile.txt in ./data (i.e. myapp.com/data/myotherfile.txt or myapp.com/myotherfile.txt).

The contents of non-www folders are not exposed to the user unless you do that yourself. Hope that helps!