Seriously, there's no way for the user to verify what happens with them even if they don't send them to the server and generate the token in the app. They could still just encrypt them and hide them in the requests they send to their servers to retrieve calendar data. It's fundamentally a matter of trust, made worse by the fact that apple obviously doesn't offer oauth or a similar mechanism.