Rclone OAuth Implemented Incorrectly. Exposes Client Secrets? explains why they went the other way. Either way has issues, and I’m not sure which is worse. Secrets in source got rclone banned from ACD, however that’s just an illustration of the who-holds-the-secrets issue, because they’re discontinued now.
However corporate IT departments might prefer to set up their private C# server, just the way they like.
As a side note, there can reportedly be performance advantages to cutting loose from the large crowd.
Making your own client_id talks about how things like rate limiting can be tied to specific client ID used.
Detailed directions there are interesting. Seemingly Google doesn’t mind taking a program’s app name repeatedly, but if someone abuses them, I wonder if it’s their client ID or our app that gets into trouble?
sounds like a vote for not sharing our secret, but I don’t know if our app gets dragged in by association.
EDIT:
Actually, the end user could also get dragged in. Is there any reliable data on who/what gets a ban first?