I do agree putting them in the query string is generally a bad idea if the requests are going over the public internet. (This can be modified in code to instead use a header). As they could be subject to man in the middle attacks (though very rare, but possible).
But again the API tokens are designed to be used between two services typically behind a local LAN and Firewall. A client or user should never see this.
The original author of this discussion has a ASP.net application that accepts his public traffic and is relaying requests to a backend Strapi instance behind his local LAN. The communication channel between his ASP.net application and Strapi is in a trusted zone.