If you are a hacker who breaks into a Coda client, you can't access protected data in Coda without a Coda token. You can, of course, read the contents of the local cache if you have root access. You can't change Coda files unless they are world writable; that is, unless the Coda group System:AnyUser has write and lookup access to that directory.
On the other hand, a hacker who breaks into a server can run pdbtool to create users, delete data, fake a Coda token, and do a great deal of damage. We may say that Coda affords some protection to the clients and the data, but you must take pains to guard the Coda server against attack.