Agree, but with CLI/API being the hype, it's quite common to have those tools save tokens to local files (esp. if they can't store into keychain). I wished more people understood the security implications and used MCPs instead which have a tighter boundary / keys managed well