Why are config and API secrets public?

In this repository, it is recommended to add `cloud_name`, `api_key` and `api_secret` to the file `signed-uploads/public/js/config.js`. I found this surprising, since the contents of the `public` folder are published by express. Would it not be safer to keep these secrets hidden?