Public App but where Request URLs are hidden? - and other related stuff

I am looking for some guidance on whether or not a service layer's Request URL can be made unviewable (from browser developer tools) along with some other related things.   Coming from a non-IT perspective, I have certainly read a lot about proxies, reverse proxies, tokens, etc regarding locking down a layer specific to an application.  Granted, I still haven't done that in testing although I played around a bit with WAB dev and the ESRI resource proxy. I did not have any luck through testing and with help from some various other discussion posts on GeoNet (total newb so understandable).  I dont need that implemented now, but rather in the future most likely.

My understanding is that locking a service down is possible, but I assume the request URL will always be there whether its the typical service type link or a proxied address of which could still be used to connect to confidential data?  Or does it not matter if a person had that address, if you somehow locked down that service for use only in the designated application?  Therefore, even if they had it, it couldn't be used unless mined within that application?   Although I think this service would also have to be in the web map (for the app)  as well to be used unless making use of the custom LocalLayer widget that doesn't require a web map.

Is it a matter of proxies, generating tokens and applying them somehow to a service url through the Server Manager?  Something else?

This is all challenging terminology to grasp, but would like to gain a better understanding.  Thank you. 😃