This is expected. The OAuth spec defines two client types -- confidential clients (eg. web apps) "capable of maintaining the confidentiality of their credentials" and public clients (eg. native apps) "incapable of maintaining the confidentiality of their credentials". https://datatracker.ietf.org/doc/html/rfc6749#section-2.1

> A native application is a public client installed and executed on the device used by the resource owner ... It is assumed that any client authentication credentials included in the application can be extracted

You could become a developer on each target and make your own client secrets (like I do for `rclone`, `msmtp`, and `offlineimap` access over OAuth).

OAuth makes the app authenticate as well (so that, e.g., API limits can be accounted for across all app installs). It really hampers FOSS clients because the secrets are just…there. Or you make all of your users use prebuilt binaries or become developers to get their own client credentials.

OAuth differentiates between public clients like this (or webpages, apps, etc), which cannot truly keep a secret, and confidential clients (like servers, or apps only installed on one person's machine) which can.

Services really are not supposed to require client secrets for public clients, because the security they can provided is super limited. Often the secret can be pretty trivially extracted just by searching for strings of the right format. The only way to provide any real security to such a secret is obfuscation, which is obviously somewhat weak.

Of course some service may just require such secrets anyway to simplify the integration instructions, which is arguably fine if the service understands that the secret is providing basically nil security for public clients.