BTW @[email protected] was right. Anyone can view the contract deployment transaction and see the value of secretNumber that was passed as an argument to the constructor.
For those that want to have an actual go at it: when deploying it with hardhat for example, you can pass in Math.floor(Math.random()*1000) as the constructor argument in the deploy script, and then see if you can derive the number on the first guess.