This is a known issue with OAuth and is how basically any electron app works. The tl;dr is if you're able to steal files "as the user" it's already game over. This is no different than stealing ...
Some results have been hidden because they may be inaccessible to you
Show inaccessible results
Feedback