They are as secure as your database. In other words, all data for this plugin is stored in cleartext in the database table (wp_participants_database). This includes the Private ID column as well. If someone can gain access to your database, then all participant information is visible to them.
That being said, the actual Private ID itself (the five digit alphanumeric ID for each record) is randomly secure. In other words, there won't be any duplicates, and each new record gets a randomly generated string, and the only way someone could circumvent the built-in security and update someone else's record is if they either (1) just happen to guess the random string (very unlikely), or (2) intercept/obtain the ID through some nefarious method.
In general, this is a reasonably secure plugin, and a reasonably secure mechanism for ensuring safe access for participants. You're not going to stop a determined hacker from getting into a record, but you'll stop 98% of the casual hackers.
Extending the string to 10 digits will make it more random, but unless you plan on accepting something like 435,000 participants, you won't hit any limits for quite some time.