What is the usage of the client_secrets.json file?

The Google API Client Library OAuth2 docs states,

Keep your client secret private. If someone obtains your client secret, they could use it to consume your quota, incur charges against your Developers Console project, and request access to user data.

So don't commit or otherwise distribute the file.

If you want to publicly share your application source code, instruct others to use their own Google Developer account to register their own Google Developer project and generate their own app OAuth credentials (client_secrets.json file) for use with their "installation" of the app.

If you were making the application commercially available, you would seemingly need to share the app credentials with them in a trusted, legally protected, or secure manner.

Apparently the client_secrets.json file does not have to be kept secret for installed application. From https://developers.google.com/identity/protocols/OAuth2?csw=1#CS in the "Installed applications" section:

The process results in a client ID and, in some cases, a client secret, which you embed in the source code of your application. (In this context, the client secret is obviously not treated as a secret.)

So if you're making a webapp, keep it secret. If it's a python app that you distribute to users and they run on their own, it does not have to be kept secret.