There are several options, but keep in mind that the purpose of tailf:hidden is not to hide the data from a malicious user, it is more something like a note to the user that this element should not be touched unless the user really knows what she is doing. From this point of view, there is nothing wrong in having the hide-group password plaintext in your JS code. If the aim is to protect the data from read or write access by a group of users, NACM rules are probably a better way to go.
The options, some of them may or may not be applicable to your use case:
employ NACM instead, as written above;
let the user write the hide group password - if the user is expected to have access to the element, she should know the password;
if the aim is to store data that would be used later by e.g. a CDB subscriber, you may want to have a look at transaction hooks or set-hooks.
Or maybe this leaf is not supposed to be really configurable, i.e. you can declare the leaf as config false and either implement a data provider for it, or declare it also tailf:cdb-oper with tailf:persistent true and your hook can update the leaf in the operational CDB. That may be actually better approach, depending on how other components of your system are supposed to treat this leaf.