You can encrypt the config file, but the use will need to know the decryption password.
That is correct. It isn’t an ideal solution, but in my opinion the client_secret isn’t that important. It doesn’t allow access to any other data, all it does is identify the client. If compromised then your client can be spoofed which I don’t think is a big deal.
An interesting idea…
Maybe it could be generalised for every config variable, so if there was backend_setting then backend_setting_command would be a command to run to read it. Probably not too tricky…
You can pass config to rclone via environment variables , command line options, and the config file all of which are visible to the determined user. rclone could potentially overwrite sensitive environment variables I suppose.
That will work, but long running transfers (running longer than the token age) will need a refresh token.