I was thinking and there’s some weird irony here. I can make the argument that security is actually worse off now.
The server tokens that used to be returned from the shared_servers endpoint were scoped to the specific Plex Media Server only. This means that the only thing a server admin could do was change things on their own server. They didn’t get access to the shared user’s online Plex account.
The supported method to switch home users grants full access to the home user’s account (provided there is no PIN or you already know their PIN). This means you can change their online Plex account settings or connect to other Plex Media Servers shared to their account. You actually become that user. As an example, in the past I have accidentally posted on these forums as one of my home users after switching accounts in Plex Web.
I can see the direction where developers will recommend (or just mention) inviting users into your Plex Home (and without a PIN) in order to continue using some of these 3rd party tools. Just using PAL above as an example with a simple disclaimer:
Due to recent Plex API security changes, automatic token retrieval for external/remote shared users outside of your Plex Home is no longer possible.
Now that has just incentivized server admins to start inviting accounts into their Plex Home when they really should remain as shared users. The server admins will now have complete Plex account access versus previously where they only had personal server access.
