If we keep files(pdf, epub, jpeg etc) under application's data folder on run time, is it possible to access them via root user or any other hack by somebody else?
Yes. As root you have unrestricted access to anything on the device. Even an applications runtime data, you can retrieve anything easily. An example would be to connect your device and retrieve a file by;
$ adb pull /path/to/remote/file localfile