> Doesn't this let anyone else make API calls as your app?
The only thing that client id / secret is authorized to do is redirect to the following URL: https://fpljkobkodmnmldgodfefnmjgjlljbjn.chromiumapp.org/oau...
Which can only be accessed by an installed Chrome Extension with that ID. So no one should be able to authorize anything besides this app using that information.
More information about what it does expose is here: https://tools.ietf.org/html/rfc6819#section-4.1.1