I don't think that's what Google are saying here. I think the sentence is referring to Google user data; as long as the Google user data or credentials to access it does not touch another server, the entire thing does not apply.
In fact, in Google's guidance on this subject, they say:
> Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement [to get a Letter of Assessment].
And in another FAQ:
> Local Data Storage: Local client applications don't need to undergo a security assessment because data is run, stored, and processed only on the user's device. Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement.
My feeling is that the author of Pegasus Mail has checked a checkbox incorrectly somewhere, or alternatively has not implemented the desktop oauth2 flow correctly.
In fact, in Google's guidance on this subject, they say:
> Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement [to get a Letter of Assessment].
And in another FAQ:
> Local Data Storage: Local client applications don't need to undergo a security assessment because data is run, stored, and processed only on the user's device. Local client applications that only allow user-configured transmissions of Restricted Scope data from the device may be exempt from this requirement.
My feeling is that the author of Pegasus Mail has checked a checkbox incorrectly somewhere, or alternatively has not implemented the desktop oauth2 flow correctly.