the UID file should only be readable by the user

[koonix]

the file sponsorblock.txt (which contains the UID) should only be readable/writable by the user (it sould be given a permission of 600), otherwise other users in the system can read the UID and impersonate the user.

From the Import/Export UserID Section in the SponsorBlock extension: "This should be kept private. This is like a password and should not be shared with anyone. If someone has this, they can impersonate you."

[po5]

Just like how other users can use my mpv config which may contain cookies for youtube-dl, or --http-header-fields which may contain auth tokens.
You're in charge of permissions on your own system. I won't force it on users. Restricting access to the mpv dir is a better solution anyway.

Keeping this open since there is something I don't like about the current setup, it's that sponsorblock.txt is contained in the scripts dir which many people will commit to their public github (you can already find multiple of these).
It should be moved to some outside location, setting permissions can't address that.

[Zocker1999NET]

@po5 Generally, I'm agreeing with "You're in charge of permissions on your own system", especially on the given example of a mpv.config which I might create and maintain myself. I would also not want that this plugin might enforce this by throwing an error if the permissions are not as expected (like openssh does this on public readable SSH keys). However I also expect a sane default for files, which contain sensitive content and which I might not be aware as a normal user and the automatically created sponsorblock.txt is a good example for that because I just found out that this file exists and contains probably sensitive content by reading this issue. So my ideas would be:

1. Add a comment into the sponsorblock.txt (if possible) or mention in the filename or in a README file in the same directory that this UID might be considered sensitve. Then people can decide if they want to publish it or not. Currently, it might be that some have published their sponsorblock UID without them be able to know it is considered to be sensitive. And that should not happen, there should be at least a warning like in the Import/Export section of the extension.
2. If creating the file, please set the file permission to be user-only as proposed by @soystemd. If users are then lifting the permissions themselves, it is their responsibility. But it should be safe to assume that applications and plug-ins to the best they can to secure personal data & credentials. Other applications also default to set restrict permissions on files they create without the user knowing (like Firefox, Chrome, …) and I agree that this should do that as well.