There is no right or wrong answer. There are numerous factors to consider:
- If this is for/in G-Suite, then your G-Suite admins’ll have (or can get) access to anything. This may or may not be an issue.
- If you put the data in a sheet, anyone that has read access to the sheet can see the data.
- You can use
PropertiesService
but then folks can access as explained in the documentation. User properties is one way but may not work in all use-cases — like if another user is executing the code. You could use installable triggers if that is do-able for your use-case. - If folks need to be able to make the API call with your key, you could write a proxy web-app that they can call but not see source for.