(Note: this question could apply generally to any .NET client technology, whether UWP, WPF or WinUI 3)
I am familiar with the "User Secrets" feature in Visual Studio and .NET, however, in all documentation I've come across, it's presented in the context of an ASP.NET Core application. In that context, I understand that on the production server, environment variables take the place of the secrets.json file (that is utilized only on the dev machine). But of course, when deploying an ASP.NET application, you have the luxury of setting env variables since you have access to the production machine.
But there is no guidance or even mention of how to manage secrets on client apps (UWP or desktop) that are deployed to end users' devices via some public channel, such as the Windows Store, where you the developer has no access to the client production device. How do app secrets get onto the user's machine? If the secrets were part of the app installation package, wouldn't that also introduce an obvious vulnerability?
Just to be clear, when I'm talking about "secrets", I'm not talking about a password or anything else that is expected to be obtained via a run-time user prompt. I'm talking about secrets that should be hidden from users as well as bad actors. Things like an API key or a password to the developer's backend system.
There is no such mechanism for user secrets like in ASP.NET Core for UWP apps. Generally, if you really need to store sensitive data in your app, I'd suggest you encrypt it first.
If you have a server, then request the data when using should be more suitable than store it locally.