If you are making the request from the front end and not the backend then users can extract the client secret from the axios call made as it will log in the network inspector part of any web browser inspector.
So a “secure file” doesn’t really exist on the front end.