If you check the OAuth API verification article here:
These applications [local client applications] may be exempt from the secure handling policy because the security assessment (and successful securement of a Letter of Assessment) primarily addresses risks associated with developers obtaining and storing data on servers.
Developers should specify in the verification application whether they believe the application is a local client application, and we will work with the developer to verify that is the case.
Therefore, when sending the verification application you should mention that the application you have is a local client one and if this is indeed the situation, you will be notified about it.
Also, please bear mind, that the local client applications can be defined as, according to Google:
Local client applications are generally applications that only run, store, and process data on the user's device (like a computer, mobile phone, or tablet). While user actions may cause data to leave a device (such as sending an email), local client applications do not transmit restricted scope data to the developer's servers (or servers specified by the developer), unless the user explicitly configured the application to do so. This would include local email clients, file managers, and calendar and contact management applications that don't utilize cloud services or only transmit restricted scope data to user-configured destinations.
Applications that send restricted scope data to a developer's or third-party's servers without explicit user-initiated action, such as setting up a backup capability, will not be considered a local client.
Reference
与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
