Hey Raúl,
That's a very good question.
My recommendation is that you use the "Web application" method. It's safer because it's tied to a domain. The downside is that the walk-through for your users has an additional step, as they would have to specify a callback URL in the APIs console and your plug-in would have to listen on that URL.
The installed application method has additional steps that require to open a browser window and many of your users won't have access to one.
What you should never do is distributing your client secret with the plugin, which is the unsafe short-cut.
Cheers!
Jose
---
Jose Alcérreca
Developer Relations
Google UK Limited
Registered Office: Belgrave House, 76 Buckingham Palace Road, London SW1W 9TQ
Registered in England Number: 3977902