1. Transactions in the mempool are public and anyone can read the transaction data directly from it. This feature is there to help miners and bring transparency to the system.
2. This also allows the sender to replace a specific transaction with the same nonce and a higher gas price. This is only possible when the sender has permission and the transaction is not yet mined.
3. To demonstrate the effect of this issue, consider the example of an ERC20 contract. The contract has an approve function, which can be used to delegate an address to spend on your behalf:

pragma solidity^0.4.24;contract ERC20 {    // ...    function approve(address _spender, uint256 _value)         public returns (bool) {        allowed[msg.sender][_spender] = _value; emit Approval(msg.sender, ...