If the web application is secured properly, then that web.config file is secure from outsiders, but it can be visible to many inside the organization. For one thing, the developers may check the web.config into source control (Git, TFS, etc.) along with the project files.
Google the following for options on how to encrypt the connection string properties.
web.config encrypted connection
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho