Showing the user token on profile pages makes it possible for people to pick it up if they’re snooping on the screen.

This is especially a risk for people who might be streaming or otherwise doing/sharing screencapturing where viewers are able to screenshot the image of the token.

It should be possible to copy the key without showing it, and there should also be an option to show the key if you need it shown—but it shouldn’t be shown by default.