I would like to hear about that your big issue more 
because I’m allowing that for my users explicitly (so anyone can check used queries in the dashboard in convenient UI and they don’t need to bother me :-D):
What will you “hide” when you not allow it? I will use browser console and I can inspect any queries on my own even when you have viewers_can_edit=false.
IMHO: if you need Security through obscurity, then Grafana is not right tool for you.