paranoia? maybe if you don't understand how things work and how it can be made to steal your data without you even noticing. But if you understand the process you'll call it a possibility. You must be one of these people who never updated their software to apply security fixes because you don't want to be paranoid about it, right? :)

it takes 2-3 times to enter your login with 2FA code and your steam account will be transferred to another owner. I bet you have seen multiple forum threads on steam about stolen account after using fake logins on 3d party sites. this is the same method any attacker can use in galaxy 2.0 plugins. thanks to its bad stability and constant disconnects one can easily overlook when galaxy asks you to login into your steam account and then shows login prompt again (like, it didn't worked last time), user enters it again with new 2FA code. what happens next? once data gathered and passed outside, bot already used your 2FA code to steal your account, plugin will crash galaxy to clear files. "Oh, this thing crashed, it is still beta". will you notice anything strange in that?

Unsurprisingly, you seem to have intentionally missed the point.

Again... "Has there been any proven evidence of anyone losing access to any gaming account as a result of galaxy 2 access?"

Not only do you ignore the question, but then double down by attempting to deflect to a completely unrelated topic of applying software updates. So, yes, paranoia.

look, if there will be such evidence that would mean all users who had their galaxy open at that time had this happened to them. EVERY USER. definitely you can't miss an outage of that size, right? :)
not every single user who uses 3d party fake logins but good half of gog userbase who happened to open their galaxy client that day. no name github developer without past projects, not known in community for any other projects. and their github project. if something happens to that github project by dev's hand or by hand of hackers you'll definitely hear about it. I bet cries of people who had cs:go fortunes will be very loud.

but hey, I'm not saying you have to be paranoid, please do use galaxy until something like that happens. that would be only fair for a person of your mindset.

I'm not ignoring, I'm just typing it in parts :)

why github account is not a safe solution
https://www.hackreports.com/github-hacked-ransomware/

Oh, look... more assumptions and generalizations. I'm totally sure an event that affected EVERY USER of galaxy 2 would be completely untraceable, and there would be no hope of rightful owners of the accounts regaining control, right? It would be doomsday!

I would certainly hope a person "of your mindset" never makes and online transaction, or uses a credit card or atm card in person, either. These are all activities where people actually have had personal information stolen on many occasions, rather than theoretical things that might go wrong. I would hope you don't take chances using any of those unsafe payment methods. Need to be safe... physical currency only.

steam will restore account ownership but they won't restore any items on it. can be a doomsday for these who'll have their stuff stolen.

I'm in IT, I know how to minimize my risks. I don't trust to no name vendors with my money. there's always someone who will pay for customer's loss if anything happens (if it's a business with name, address and strict policy). with gog and galaxy plugins you have no guarantee, no business to back shabby github code. it is only a matter of time when someone will exploit this weak code storage to rob gog's customers. why should I trust it? no guarantee, no security leads to exploits. if someone hacks github repo gog can't even take them to the court for breaking into gog infrastructure. anyone can hack it just for laughs because there's no big corporation to chase the attacker.

djoxyk has a valid point. Not sure about the community integrations that are searchable inside the client (maybe GOG has a cert process to ensure those are clean), but integrations that you have to pull directly from GitHub, like twitch, is just community software. The community in question is the internet, which has it's seedier elements.

While it's publicly available for everyone, so everyone can see it, not everything is going to be reviewed by others, or at the very least problematic code may go unnoticed for long enough to do some real damage.

It's like using your debit card at an ATM that has publicly accessible firmware that anyone can update, with no certification or control. Would you feel comfortable using your debit card there? That's what you're doing with the twich integration.

Risk of bad code is probably not as bad with the twich as it is in the ATM hypothetical, but it's still there. Particularly since the twitch integration is your Amazon login, in many cases.