In some circumstances Google requires a costly security assessment. But this doesn’t apply to apps like K-9 Mail that handle all the data on the device.
From OAuth App Verification Help Center - Google Cloud Platform Console Help (emphasis mine):
Every app that requests access to restricted scope Google user’s data and has the ability to access data from or through a third party server is required to go through a security assessment from Google empanelled security assessors.
K-9 Mail 6.200 is available now and includes OAuth 2.0 support for Google accounts. See New release: K-9 Mail 6.200