No, they are not. They are supposed to be public. The only way they can be exploited is that someone can use them to make a large amount of SignUp calls to your userpool. But as long as these registrations are not verified, these won't be converted into active users (unless you have enabled auto-verification of users). This is not an AWS specific issue. Fake registrations are a big headache and one will face this issue even if there is no SignUp api being used and a PHP backend is used for registration. The only way to face this is email/phone verification.

Of course, if you have disabled SignUp in your userpool i.e. only Admins can create users then this is not an issue at all.

ID token and Access token generated by Cognito contain both User pool ID and Client ID, there is no way these values were designed to be private.

These information are not sensitive, but if used together they could allow a client to create users into your cognito user poll, hence, have access to your application.

Requests to Admin methods require "userPoolId" which should be kept in your Back End. Client/Normal requests usually uses the "clientId", which could be more than one under the same user pool.

In summary "userPoolId" is your sensitive info and should not be exposed in your Client.

Note: Amplify.@auth requires both userPoolId and clientId, which is another security failure from them, however I have not seen them exposing the clientId in any request. Let's hope they fix this very soon.