I'm looking to develop a Google Docs add-on and am trying to think of security best practices. When installing a browser extension, it would obviously be downloaded entirely to the client (it can't be trusted), but what about a Google Docs add-on? If I have important/sensitive data that I need the add-on to process, is it okay to do it there directly or should I send the data to my server for processing like I would if it were an extension/website/mobile app?
It is OK to do your processing in Google Apps Script, as long as you sanitize and validate the inputs you get from the user interface.
Apps Script runs on Google's servers rather than in the web browser. Add-on source code cannot be seen by users, except for public function names. To make a function private and undiscoverable, add an underscore to the function's name, as in function myFunction_(){}. Alternatively, move those functions out of the global scope by encapsulating them in higher-level functions or classes.
Editor Add-on user interfaces are built with HTML/CSS/JavaScript, and run in the client. These user interfaces can be inspected and tinkered with by the user during runtime. Client-side code usually communicates with server-side code through the google.script interface.
Workspace Add-ons use a card-based model where the user interface is built using manifests and API calls. The result is rendered through HTML and friends by the client.