What you need to understand is that the entire premise of HTTP is that there is complete separation between servers and clients. Servers see only individual incoming HTTP requests and serve them up to the requesting IP address. They don't understand how a web page is constructed, and they have no knowledge of how a client is making a particular request for a resource. So to the server, a resource (let's say MySecret.js) is served to a client the exact same way in each of these scenarios, and the server will not see any difference between them:
- MySecret.js loaded within an HTML document in a browser
- MySecret.js loaded within an ASPX page in a browser
- MySecret.js called by a separate JavaScript program on another server
- MySecret.js called by a Java program running in a smart light bulb
- MySecret.js typed directly into the URL bar of a browser
Even if you could somehow lock down a JavaScript file to only be called from within an ASPX page (for example), for performance the browser will end up caching that JavaScript file, so it would be trivial to find it within the browser cache on the user's hard drive.
In short, if the JavaScript file is intended to be executed within browsers, by definition it has to be 100% available for a user of that browser to read.