It may not be a security risk, it may simply be that there is no legitimate use case that Twitch want to support for 3rd parties to access that data without the user token from the broadcaster with appropriate scope.
If you have a use case that would require using an App token rather than the broadcasters token granting the appropriate scope you can create a feature request for it https://twitch.uservoice.com/forums/310213-developers