Hahah, I love security. 
Very good point on this – for most large-scale stuff, I’d expect targeting a bigger surface to be more profitable than some rando’s app. Doesn’t prevent researching/targeting a high-profile person, but that’d be a concern regardless of mitigation measures and some other app could be a weaker link (esp if file access is required anyway).
I was assuming folks would probably store the access token since it lives 60 days and (afik) doesn’t die when you request a new one? (unless there’s docs somewhere on invalidating an existing token, rather than hoping the user disconnects the app from their account – if I validate the token at https://id.twitch.tv/oauth2/validate then both my old and new token are still valid; I don’t get 401 unauthorized)
Thanks so much for your discussion like this, on a Sunday especially!