If I login to a mobile/web app with a Google account, what stops the developer also using that account?
I have an admittedly-vague understanding of how OAUTH works, but I recently went through the rigmarole of installing rclone and having it sync some files from my Google Drive to my Linux laptop.
As part of rclone's documentation, it is recommended that I create my own Google App in their developer portal, and populate my local rclone config with the Client ID and Client Secret of that Google App. I presume this was so that any usage would be specific to me, e.g. for billing/usage-limits purposes, and not some generic rclone app instance (although that option was also available). The Google App remains in 'testing' mode, and only my Google email address is listed as a test user. When configuring rclone with access to my Google Drive, I was redirected to a Google login screen populated with the details of my Google App, and received some warnings/confirmations about how my Google App wasn't verified yet.
Since I am the only holder of that ID and Secret (assuming nothing nefarious on rclone's part, nor any compromise of my laptop), am I right in thinking that only I can actually access that Google Drive (bar Google themselves) via that configuration?
If I were to use rclone's default settings (presumably using their Google App ID/Secret, internally), what (if anything) is stopping the developers/controllers of that Google App from accessing my Google Drive, behind the scenes, outside of my intended usage of their app?
I also have a Windows application and an Android app, which both also sync files from my Google Drive. Those apps presented the Google login screen populated with their own details, and don't offer the opportunity to configure my own Client ID/Secret (so I assume I am using theirs, internally).
Are my Google-related files or services any more or less available to the developers of the Windows and Android apps (using their Client ID/Secrets), than they are to the rclone developers (using mine)?
Specifically, why?
Would that position change if the "app" was a website (e.g. if the website's Client ID/Secret were in a discoverable config file)?
