This seems like just a true statement about all local apps, isn’t it? Teams integrates with email/sharepoint/etc, so the app needs a token that can access those things, and the app has to store the token such that it can be used for requests.<p>They could obfuscate the token by encrypting it, but a local attacker would still be able to read it because the local system would need to then store the decryption key somewhere; it’s turtles all the way down.<p>Slack has a similar failure mode, as do Chrome cookies and every other local app I’m aware of.