The functionality of an application plays its game between the front end and back end. The command is given from the front-end, following the same, the backend generates the response.
But validating each front-end request is the primary job. Also, what information is being processed from the backend should also be monitored.
Also, attackers can easily access the hidden data hence we need to implement the code smartly. The point will be clearer with an example.
Suppose, you want to get the list of clients who have registered to buy cars. A SQL query is executed and all the information is captured. Now you are sending it all at the front end with the filter of first name and last name.
You are assuming all the data like email address, date of birth, address, contact number, etc. are hidden but attackers are smart enough to capture those details. And it is called data leakage.
Hence always try and bring the required data from the backend. Unnecessarily there is no need to drag all and hide them.