When should I use this? You should use the token system whenever you have a form that results in changes to the database. Especially if the form is only available to certain privileged users.
I'm using module xxx on my site, it doesn't use tokens. Is it unsafe? Not directly, no, although there is some discussion in this area (which is why we are making this token system altogether). If you are checking the HTTP REFERER (which XOOPS does by default) you are quite safe from the malicious attacks where your site admins are tricked into performing actions on your site by submitting forms on another site. However, checking the HTTP REFERER is not entirely friendly towards your users, who may have to configure their firewall for your site. The token system makes your site less vulnerable should you decide to disable the referer checking.
Who should I thank for making my XOOPS more secure The Japanese XOOPS community should be the target for your praise, flowers, chocolate and whatever else, you would want to send their way.