Note: this guide comes with a health warning for developers.
It is strongly recommended that developers DO NOT provide users with the option to add a spreadsheet ID in their apps. Spreadsheet IDs should be hard coded into the web app. Failure to do so may provide others with access to your private google sheets.
Why does this have to exist? This is illegal and insecure. Some developers can build a secret app that steals private Google Sheets and possibly Drive files.
I have not tried this yet. I have no access to any Google Sheets not owned by me, but I am worried that there could be a method to steal Google Drive files as well. I have no idea if this is legal or not. Does MIT Allow anyone to build apps like this?
It is the responsibility of the google account owner to protect their own data, Google tells their users this regularly and recommends ways to keep their account and data safe. If a user shares a file using "anyone with the link", then the user will know that the data therein is available to anyone who has the link to the file.
Google Drive files that are not shared, are not shared, and as long as the google account owner does not share the link, it remains private. If the google account owner creates a script that potentially exposes that file, they do so at their own risk. This is not a matter for Google or MIT, but for the account owner.
Developer ai2 can only create an application that can access his private files on disk. A wise application user is unlikely to paste into such an application a link to a sheet with important data because it is known that the developer may have placed malicious code intercepting links. However, without this link, no one will get to your data.
I will answer you with a question. Is it against Google policy to develop apps that steal user information? Google created Android Studio and you can create applications that steal data. If you write a Java program that steals data, will the language creator be responsible? Or maybe the creator of the editor or compiler with which the malicious program was created?
To be clear, the only files that have the potential to be exposed are those of the developer / google account owner. The script/web app, if written in a way to allow injection of file IDs, does not provide access to any files owned by anyone else, only the google account owners files.
So, the Apps Script can only access the owners private files if the script is created by that same owner. If so, that means a person can create an alternate Gmail account with no personal information for his/her apps only. Sorry I have been away from this topic for several weeks.