are audit keys like updatedBy visible to

are audit keys like _updatedBy visible to all users with access to the document, or is that protected in some way I don't understand? Specifically, if I have a customer facing app that retrieves the document (because everything else about that document ought to be public), is the email address of the content manager of that document being leaked to the public via the _updatedBy key?