Obviously the user has access to all data being sent to/from his browser. By “secret”, they mean that it’s information shared only between the server and the user.
Yes, by “leak”, they’re saying that if you get a CSRF token from site www.example-1.com, you should not include that token in any POST data being sent to www.example-2.com.
The browser itself will not include the cookie version of the token on any requests to www.example-2.com - that is not something you need to be concerned about.