Supabase Auth w/ Sveltekit (session in source)

[sharkstate]

Im using Supabase Auth with Sveltekit and notice that when logged in the sessiondata is visible in the html source, eg within the sveltekit js chunk:

const data = [null,{"type":"data","data":{session:{access_token:"eyJhbGciOiJI.......",token_type:"bearer",expires_in:3600,expires_at:17002266,refresh_token:"97Fee.......",user:{id:"03344ef92......",aud:"authenticated",role:"authenticated",email:"xx@xx.com",email_confirmed_at:"2023-09-27T09:25:00.924838Z",phone:"",confirmed_at:"2023-09-27T09:20:04.924838Z",last_sign_in_at:"2023-11-13T12:22:51.207615Z",app_metadata:{provider:"twitter"

Is this how it should/needs to work, or am I doing something terribly wrong?

Thanks