By default, any files you save to PythonAnywhere are private.
One exception is static files: any files in a folder that has a static mapping (on the web tab) is exposed to the public internet
NB we also make any files you put in /var/www/static into publicly available static files, by default.
Another exception is Dropbox -- we can't control what happens to files in your Dropbox. You might have shared a public folder with us. So we don't control what happens there. But, in most cases, even Dropbox files are probably fine too.
So the real question is: is your web framework going to keep your files secure? And is your application code? One thing to check is debug messages -- in Django, for example, if you leave DEBUG = True
in your settings, then error pages will display tracebacks, which might include parts of your code, which could include secrets like your keys. So that's the kind of thing to think about.