Yes it is latency, but not latency related to sending the token response to the client. Instead, it's network latency and I/O associated to storing the token within the Apigee system.

The content of the response payload is set by the OAuth policy implicitly. The policy creates a new token and writes it to a persistent store, then creates the response. The time between writing to the store (and waiting for that write to complete) and creating the response payload is the latency we're talking about. It's usually microseconds. But if the token lifetime is 10.00000 seconds, and it takes 450 microseconds (0.45 milliseconds) to write the token to the store and get the confirmation, then the remaining token lifetime is 9.9995 seconds. The policy rounds down to a whole number of seconds, giving you 9.

If you configure a token to last for 30 minutes, the expiry is almost always shown as 1799 in the response payload. In your case you configured it to be 10 seconds, and you saw 9. 10 seconds would be more "accurate" but, because we are dealing with expiration, it would be incorrect. In other words if the client tried to use the token in 10 seconds, it would be invalid. Whereas if the client tried to use the token in 9 seconds, it would be treated as valid.