The declared_id is very similar to the username. It identifies the user according to their provider.
So, if someone got access to the declared request, it would be impossible to represent him as this user, if the attacker also did not have a password, or the user was already logged in to the attacker (or the attacker was able to undermine the login process by some other way).
So, you can consider it as a username; encryption is not required, but you can feel better knowing it there as an additional layer of security.
If someone gets direct access to your database, however, it is likely that they could compromise your entire site using other means.
Cameron
source share