[nfw2]

There is no additional data security if you are sending a rendered version of it to client instead of raw version.

Data that will be rendered on the client generally should be sent to the client in my opinion because you can easily determine if bugs are a rendering problem or a data problem without sifting through server logs.

[_heimdall]

There absolutely is. I can fetch a full user record from the database and use it to render on the server, not ideal but still secure. Send the full user record to the client and that data is now more at risk.