Authorizing a plugin to call Google Analytics v4 API on wp_cron

I am building a plugin that will need to access the administrator's analytics account and pull some data on regular intervals, using the WP-Cron mechanism.

I have looked at the instructions for authorizing the analytics API version 4. My plan is to let the administrator do OAuth2 authorization with Google offline access. The user will verify their account and get back a token that can be copy-pasted into the plugin for API access. The plugin can then refresh the token for a new one as needed.

I have chosen the Web Server flow as the most appropriate in this use case.

I have been looking at the code for Google Analytics by MonsterInsights and they seem to be doing the same thing. But they need to include the client id and secret key for their app with the source code.

Isn't it a problem to include the client private key with the source code? Is there some better practice I need to be following?

Any info greatly appreciated.

Edit: See these quotes from https://developers.google.com/identity/protocols/OAuth2WebServer

We recommend that you design your app's auth endpoints so that your application does not expose authorization codes to other resources on the page.

and

Important: Do not store the client_secrets.json file in a publicly-accessible location. In addition, if you share the source code to your application—for example, on GitHub—store the client_secrets.json file outside of your source tree to avoid inadvertently sharing your client credentials.