Yes, for now. But on the new Homey Pro 2023 it will be different, as written in the developer update.
The new Homey Pro can be fully backed up to a Mac or PC using USB. This means the entire operating system & userdata is saved .Because of this new feature, it’s considerably easier for users to access and/or change Homey Pro’s filesystem, and therefore an app’s JavaScript code and environment variables.
The question how information in a env.json will be protected remains unanswered, not in the AMA nor on slack.:
