Well, to give the plugin authors some credit, there is visibility for middleman URI in config UI; they could have hidden it, and most people would not notice. Oh, but wait, it would not have worked then, as users would not have added URI in their Google API creds.
So, the answer above looks false and misleading to me. If it were true, plugin authors would have allowed users to use their own URI and have not required theirs. There is no way to edit it.
So, yes, this is not secure, and by using this plugin, you will most probably be violating a lot of rules and would not even know this if you are not savvy in web security.
I do not see how it is ok to compromise personal data security with this approach.
