Steam also stores your credentials world readable on the file system, I reported it I think in 2016 and they just said it was a limitation. I know Epic Games takes security more seriously than Valve at least.
As I understand it, there's no way to have the feature of "remember me" on the login box allow skipping 2FA without this. Anywhere they could put it while still allowing a no interaction login would be just as vulnerable.
The primary way of attack was to trick a steam user into either uploading the token file directly, or trick the user into running an executable that uploaded it silently. If you're already tricking the user into running an executable you design, there's not much left that can be done to stop this since such an executable could reach inside the running steam process and read whatever data it likes.
The attack here is simply another login on the same machine can get the token. I think that’s how I discovered it, I logged into another account on my machine and Steam logged in using my other account on start up with out asking me to login again.
I should also mention the trend towards these Vault services to store secrets is even worse, as that they effectively make all secrets on a machine world readable since an off box service can’t determine what user is making the request. And the trust on first use idea is lacking in most implementations and vendors like HashCorp in fact don’t want to add it anymore since apparently their users had problems using it and would lock their apps out by accident. So... yeah.
Plus, use Windows' Protected Storage Subsystem (which has been around forever) to at least lock the tokens to a specific Windows account/user. No need for a machine-wide readable file even if the tokens were signed and encrypted.
Seeing how Epic was caught uploading a copy that file (also contain friend list and wish list) for untold purpose (officially to import friends while bypassing steam api). I don't think they deserve any praise.
The primary way of attack was to trick a steam user into either uploading the token file directly, or trick the user into running an executable that uploaded it silently. If you're already tricking the user into running an executable you design, there's not much left that can be done to stop this since such an executable could reach inside the running steam process and read whatever data it likes.