If you create a 3rd party app to some closed source insecure back end, thats on you for trusting them or not doing your due diligence.

Time and time again private companies have rug pulled things like api access for 3rd party apps (such as twitter/X). Building 3rd party clients for private systems should already be approached with heavy scepticism and always be prepared for the worst.