@Markus It passes through our servers and then to the client. Note that the token that passes through our servers is a one-time use token (generated by Google), which is used by the Insync client to exchange for a refresh token (via Google servers). The refresh token is the one that is stored in the client and used for continued authentication to the Google APIs.
Previously, we used an in-app browser for logging in (where our servers are not involved), but because of various issues, we resorted back to an external-browser-based login as the default method. You can still use a manual in-app method for logging in as described here.