Comment by wutwutwat

One way to handle this is to send a notification with data that is meaningless, like a notification id or something, to trigger the app, which then (thanks to background app refresh, etc), pings your backend server with the id and retrieves the actual notification details. The only way to be 100% sure things are not being snooped while passing through push servers (or any third party you put your trust into), is to make the data they handle meaningless without also having access to your systems after they handle your push. Government can spy on your notification UUIDS that you send all day long, it won't do them much good though.

These concerns are not unique to government. Don't trust any third party with your data. Security 101