Security is a vast and complex topic, with many ramifications. We can only address some of them here. If you have security concerns that are not addressed here, please contact us and we'll be happy to discuss them with you.
Gallium Data usually runs as a Docker container. Under normal deployment settings, it does not expose any ports other than those defined as active connections.
Gallium Data does not have any database credentials: it acts as a pass-through for credentials and does not retain them in any way (unless you create a filter for that, but even then you'd be limited to what is visible on the wire).
Network traffic will often be encrypted, usually using TLS 1.2. This means that Gallium Data needs to have a private key (and its trust chain if necessary).
You can use the same key and certificate(s) that you use on your database server(s), or you can use a different key for Gallium Data.
The admin app is meant for development and debugging only, and has only minimum security features. When running Gallium Data in production, you will normally not open the REST/web ports.
Nevertheless, to avoid letting the app completely open, there are two features that can be used to bring some security to the admin app: giving it a password, and restricting IP addresses. This is done using the configuration file or configuration options, and provides some level of access control.