Twitch knows that an implict token was used and blocks access by implicit tokens leaving code flow tokens intact.
And/or they block the bad actors IP address from access leaving your main connection fine.
Finally PubSub is deprecated: Legacy PubSub deprecation and shutdown timeline
In my opinion: The issue doesn’t exist under EventSub due to how authentication is segregated
Edit: an what you describe can’t happen as theres no rule that would block the developer if a bad actor misuses the clientID
- Clients can listen on up to 50 topics per connection. Trying to listen on more topics will result in an error message.
- We recommend that a single client IP address establishes no more than 10 simultaneous connections.
Theres nothing where a bad actor can knock the developer offline