From my experience you should have no problem storing sensitive information in
.npmrc. As you have found out yourself, it is not copied when you remix the project, and there are no ways to access it on a public project.
Keep in mind, though, just because a file / directory is hidden in the editor does not mean that it will be excluded from remixes. This includes dot files / directories.
I have tried in the past, but sadly I have not been able to find a list of files / directories that are excluded from remixes, so you will have to manually check when needed. However, if you are interested, some of Glitch’s other block lists are available, via the editor, in the following files: