They need more than the API secret. They also need a token. If its all done on a server you don't own its dangerous.
Yes but I can choose to compile my own.
I believe it is. If I were the developer, I wouldn't want to control a device that can access thousands of users data if it were compromised.
I've compiled my own.
I trust a developer to make sound security decisions and not create a security problem. I shouldn't have to trust a developer with securing my authentication credentials.
All in all, we can agree to disagree here.