I’m not sure what hashing it would do since that’s a one way function.
As I understand it all Zapple pay does it listen out in relays for a pubkey to send a certain react event referencing a note. When it sees that it uses the nwc string to initiate a zap on behalf of that wallet.
Those strings can be encrypted but the key to decrypt it would need to constantly be available making it a moot point.
The people using Zapple pay aren’t sending any other data for Zapple pay to handle (such as a key to decrypt the nwc string or anything).
Safest thing to do if worried is to run your own or if on Damus run that Nostr script to re-enable zap functionality.