@gnomon The other part of the post, alluding to the expensive security audit required for registered apps using certain API scopes, has been the case since 2019, and has never been required for purely client-side apps that don't expose user data to third-party (non-Google) servers.
The precise details of the whole app verification thing are fairly complex and sometimes murky (no thanks to Google). I spent a long while writing out some bullet points for a friend as I was drilling down to the *actual* truth, because the info as presented felt lacking to me, and rather suspect besides. Unfortunately, writing all my findings out in a more presentable form would take even more time; I lost the drive to make information-dense posts for public consumption on social media a long time ago.
@gnomon One more relevant tidbit: app passwords may not be available to those with accounts managed by their school or work (Google Workspace, G Suite, whatever other names are applicable). App passwords have to be enabled by the domain administrator in order to be used within an organization.