When I was on my Google Account -> Security -> Apps with access to your account, I can see under “Third-party apps with account access”, rclone is listed there with access to Google Drive.
If I click on it, it’d expand and says rclone has access to: “See, edit, create, and delete all of your Google Drive files”, with Homepage: “http://rclone.org”, and Access given to: “rclone.org”.
I removed this access, and tested adding a remote using rclone config again and it’d reappear.
It seems that going through the configure steps grant access blanket access to everything in the Google Drive. The question is how can we know whether this is for the rclone executable running on my local machine that I just configured, or this is for the rclone organization?
It’s only for your specific rclone.config file you created.
If you give/share/post/etc the file though, people will have access.
When using the config 'wizard' you get the choice to use your own OAuth key. The docs explain that by not doing this, an access key made by rclone will be used, with implied limitations.
This is just for the token that is stored in the rclone config file. This passes straight from google to your computer when you do
rclone config it never goes via any rclone servers.
So that is a scary warning, but the only access is for rclone on your computer.
That oauth flow is really designed for web apps hence the warning.