android:allowBackup="true" lets app data be extracted via adb backup on many devices.
With allowBackup enabled, adb backup (or a desktop "phone manager") exports the app's private data without root: databases, shared prefs, tokens. Cloud backups can also carry secrets off-device.
Anyone with brief USB access to an unlocked device walks away with the app's private storage.
<data-extraction-rules>
<cloud-backup><exclude domain="sharedpref" path="auth.xml"/></cloud-backup>
<device-transfer><exclude domain="sharedpref" path="auth.xml"/></device-transfer>
</data-extraction-rules>