This page in the documentation explains the metadata.json file and it’s use:
I think that you are referring to the metaMODEL.json file, not the metaDATA.json file.
The metadata.json is located in the model folder of a deployment package (or in the deployment/model folder when running locally).
As far as I know it should never be presented to a user through the browser. It contains a lot of detailed info about the application including values of contstants.
The metaMODEL.json file is contained in the web folder of your deployment package (or deployment/web) when running locally.
I can't find anything in the documentation about that file though and am interested in finding out what it is too.
To me, it seems like it should not be exposed because it can show information about what entities and microflows are in your model, regardless whether the user is allowed to access/use those.
Maybe someone from @Mendix can pitch in?