[Tim]
secrets.token_bytes() is already the way to spell "get a string of messed-up bytes", and that's the dead obvious (according to me) place to add the potentially blocking implementation.
[Sebastian Krause]
I honestly didn't think that this was the dead obvious function to use. To me the naming kind of suggested that it would do some special magic that tokens needed, instead of just returning random bytes (even though the best token is probably just perfectly random data). If you want to provide a general function for secure random bytes I would suggest at least a better naming.
There was ample bikeshedding over the names of `secrets` functions at the time. If token_bytes wasn't the obvious function to you, I suspect you have scant idea what _is_ in the `secrets` module. The naming is logical in context, where various "token_xxx" functions supply random-ish bytes in different formats. In that context, xxx=bytes is the obvious way to get raw bytes.