The "disconnect()" function in the google_sign_in package seems to be completely inoperative. Looking through the source it seems to do the right thing: signOut() calls the Java libary's signOut(), and disconnect() call's the Java library's revokeAccess(). But it does not in fact revoke anything--the name still appears in the list, and clicking it signs in again, no password or other authentication needed. I don't know if this is an error in the plugin, or in the underlying Java API.

This is a serious security issue. The user must be allowed to revoke his access to an app.