Hello everyone
I am not sure this is entirely off-topic, but just in case.
It has been discussed in a few other threads that storing client secret should not be a security risk. However, all documentation and tutorials I see about OAuth 2.0, specify that secret should be kept as secure as possible and treat it as a password.
Sure, the user will still need to authenticate, but apparently there are some attacks that can hijack the OAuth flow and act maliciously. For example, it can present itself as rclone (or the custom app if you create your own OAuth creds) and phish the user into authenticating.
Any thoughts on this?
Also, does anybody know if in Google Cloud Platform, there can be some IP restriction put in place? There is for API Keys, but I can't see any for OAuth 2.0 creds. There is one thing called "VPC Controls" but I don't get it 100%.
All feedback is welcome! 
Cheers,
M