Hi @parthp,
Thanks for reaching out to the Auth0 Community!
There is no functional difference between storing the user data in the app_metadata or user_metadata properties, only a semantic difference.
The difference between app_metadata and user_metadata is that the first should be used for information about the user that is controlled by the application (e.g. the user identifier for a legacy system, or the roles a user has), whereas user_metadata is information that the user can view and control (e.g. user settings, preferences). [Reference: Differences between client_metadata and app_metadata]
This should be fine and is not a security risk as long as the member# is considered non-confidential information. If it is considered condifidential information, then it is not recommended to store this information in the token as a custom claim.
I hope that helps!
Please reach out again if you have any further questions.
Thanks,
Rueben