Security is built in layers. Is it theoretically possible for someone on the network to observe the knock sequence? Yes. Is it likely to happen in any but the most adversarial of conditions? No. And if it’s implemented in a cryptographically secure way, like fwknop, then it’s really very good.