I'm rendering some sensitive datas with EJS. Anybody can see it in development console of browsers like this : ?
console.log(ejs.render(..));
You've said you're rendering the secret information. That being the case, your rendering technology has nothing to do with it. If the page is delivered securely (SSL, etc.), then you should be fine. If it isn't, it's not secure whether you use ejs or not.