On my machine "%LOCALAPPDATA%\Google\Chrome\User Data\Default\Network\Cookies" doesn't have any special permissions, I'm able to open it up with Notepad spawned straight from my shell.

Maybe I'm misunderstanding NTFS permissions and this is expected, I don't do a lot of Windows, but worst case for the malware is that it has to show a UAC prompt, and if you made someone click "free-discord-nitro.exe" they'll probably click through that too.

Permissions are fake, especially Windows ones. If someone is running code on your machine, they can access any data on it.

On a Mac, if a program (not the user in a file selection dialog) attempted to read a file in ~/Library/Application Support/Google Chrome/, then it would trigger an alert like "[App] from Unknown Developer wants to access files in the ~/Library folder. Allow them?" You'd also need to have manually opened system preferences to have allowed the unsigned app to run in the first place.

And yes, a user could click through that. The primary responsibility is always on the user, within the bounds of what the OS allows them to do (as an extreme, a mobile app certainly cannot access data from another app's keychain or configuration directory - but this requires a highly restrictive OS). But the point is that an application should still make an effort to use best practices provided by the operating system for protecting sensitive data. And in the case of Discord, at least on Mac, it should probably be storing tokens in the Keychain, not the filesystem (maybe it does, idk). Yes, malware can hook the process but not without compromising various OS sandboxing mechanisms, which usually requires the assistance of the user clicking past scary warnings (and even going outside the flow of alerts to explicitly disable protections).