I didn’t studied any payment gateway (yet) so these are really just rough thoughts
-
as best practice I would suggest to never store a password on the client side. If I understand correctly how RESTful concept works, it’s just ok to save tokens (limited in time) on the client side
-
the client_id and client_secret provided by PayPal are specific pro users of your app or there is only one client_id and client_secret which identify you (the app maker)? If there is only one client_id (you) then it’s an argument more to don’t save it on the client side, otherwise what would happens if that information would change, you would have to broadcast it on every devices?
But like I said, really just rough thoughts, maybe I’m fully wrong and I would not mind if someone correct me 
P.S.: @joshmorony wrote recently a post about security, where he spoke also about data, kind of interesting https://www.joshmorony.com/basic-security-for-ionic-cordova-applications/