Assume that I running public node without SSL applied.
Is this node can be problem?
Some api's need secretphrase to sign transaction.
Some api's are no need to input secretphrase, like getAllAssets
But when I sign locally and send signed transaction to broadcast them, hacker cannot know my secretphrase.
If i use this node only broadcasting signed transactions, is there any problem?
As you wrote, as long as you sign locally like the wallet does, there's no problem with the secret phrase. There are functions that send secrets like your admin password or the encryption password of the processes configuration.
So the recommended setup is to always use SSL. Nowadays it's really easy and free thanks to Let's Encrypt.