Unfortunately there's no definitive answer as it very much depends on a) what your page does b) how secure it needs to be. The general answer would be to do anything secure where the user can't manipulate it - ie in the server-side code (rather than the js - or, more specifically, normally both). The balance to be made whether the security overweighs the convenience of client-side code.

So, for example, in this case, a first step to making it more secure might be: when login+password are valid, instead of return "true"; from the service, do return "ui5.walkthrough.view.RestartDialog"; then use the return value of the ajax call for the Fragment.load instead of it being on the page.

Full credits to @fdomn-m in comments