Can this be easily removed? We try not to give any tip off for what we’re using for our sites. We don’t want to help the hackers out if we can prevent it.
I don’t believe it can be easily removed and I honestly don’t think it should be removed. Think about Wordpress or Drupal; they all have ways of letting people know that they were built with so-and-so. Also, each CMS has a signature of some kind (regardless if it has the name in it or not). Be default the source will be unique causing things that someone could easily pick up on to know the system. And besides, Grav, is quite secure
Yes it’s possible to override it, use
metadata:
generator: "Your Custom Generator"
in your site.yaml / Site Configuration, even though Grav appreciates being loved with a reference somewhere 
You learn something new everyday!
We love you! We just hate hackers…