That’s a pretty strong statement. Personally, I would much rather prefer that frameworks have the absolute freedom to handle lifecycle management as they see fit to improve performance and resource usage. Unfortunately, it seems impossible to satisfy both of us, so perhaps we can solve your problem some other way.
My basic take on mobile app security is that anything “vital” needs to be done on servers under my control, but to flesh that out a bit, the first big division among threats is whether or not you trust the device owner / user.
If you don’t trust the device owner, then absolutely nothing you try to do on the device can be secure. Our blackhat could be running it in an emulator that can step through your code, change internals at will, and see any secrets that are baked therein. So if that’s the situation you’re in, I think you need to redesign the protocol so that everything “vital” happens on the server.
If you do trust the device owner, then the biggest next class of problems is “OK, what happens if blackhat steals our user’s phone?”. Let’s say that’s where you are, because that’s the only place that we can do anything in the mobile app code. The next question is “can we trust the device lockcode?”. Here’s where most of the security/usability tradeoffs come in. Deciding to trust the device locking system allows you to relax a bit, as you can use things like Ionic Secure Storage or other similar systems that store sensitive information in OS-locked vaults. If you can’t trust the device lockcode, then I would recommend having the user enter a passphrase at app startup and using a KDF such as bcrypt to derive a symmetric encryption key.
So I’m trying to imagine what could possibly be on your super-sekrit page, and my best guess is something like a one-time-password. If it’s something like that, then you could ping the server upon navigating away from that page, telling it to invalidate the token. Combine that with a server-side timeout, and you’ve defanged any problems that could come from having the OTP redisplayed.
TL;DR: I think there should be a way to design away your problem, and if you would like to continue the conversation about how to do that, it would be extremely useful to know exactly what’s on this secret page, and what the exact threat scenario you’re concerned about is.