I've been wondering about this also. With OAuth 1.0, much was made about the issue of embedding the consumer secret in installed applications. Google recommended (in the Latitude docs) writing a proxy on Google App Engine with which your application could communicate so that you didn't have to expose your consumer secret. With OAuth 2.0, they seem to be saying just to go ahead and embed your client secret. Is there something about OAuth 2.0 that means that embedding your client secret in an installed application is not a concern?
Forgive my ignorance if this is a silly question. I'll admit that I don't know a hell of a lot about OAuth 2.0.