Hello,
as Joris said, the SCORMs aren't encrypted in the device. In iOS it isn't easy to access it, but in Android it is. Using any file system app you can navigate to the app's folder, search for the SCORM and see all its contents. You don't need to be a hacker to do that
However, in order to do so the "hacker" must have access to the device, and in that case he'll be able to see other user sensitive data like contacts, messages, etc.
I've thought a bit about this and adding encryption can be really complex. The reason is that the SCORM package itself handles the navigation and content, and it expects to receive decrypted files. The app only opens the first file in the SCORM, the rest is handled by the SCORM itself. This means we would have to intercept all the user actions and decrypt the needed files before they're used. Also, we would have to delete all those decrypted files when they are no longer used. This would be really really hard to handle.
I think it would be easier if the SCORM package itself is the one handling encryption. The files are encrypted by default, and the SCORM (via JS) decrypts them and serves the content. However, the SCORM would need to have the secret key hardcoded, so it would be easily broken by hackers.
So in the end, I say the same as Joris: if security is important, it would be better to not allow SCORM packages to be downloaded.
Kind regards,
Dani