API secrets exposed

Hi Joplin Team,
I was just going through the code and I found some API secrets exposed in the file /packages/lib/parameters.js
And using these secrets, other applications can pose as “Joplin” to users or GitHub - potentially opening up abuse scenarios?
I wanted to ask -
a. Was this approach intentional?
b. What are your thoughts on these impersonation scenarios?

You can't keep such "secrets" secret in a desktop/mobile app. If someone impersonates Joplin and that becomes a problem, we change the keys.

And how do you keep track of these activities?

Could you explain what your concern is?