And most folks will click "Approve" without really reviewing the list. That said, Twitter and Facebook (two other popular OAuth providers) heavily restrict certain "full" access to only trusted applications that they either have a business relationship with or otherwise review the application before allowing those scopes to be requested or used. This incident may prompt Google to do more of that, which isn't entirely great news for the more responsible developers with purpose-built apps.
That's why Facebook changed their APIs in 2014. Before any app could ask for anything. Now apps can only ask for public profile data, email address and a list of your friends that have also installed the app.
Before you could also get stuff like education and work history, family relationships, relationship status, sexual orientation and a whole load of other stuff that could potentially cause a lot of trouble. And people would happily click OK just to play FarmVille or whatever.
Now Facebook makes it so any app needing advanced permissions data has to be reviewed by Facebook first.
I knew things were getting bad when I got like three push notifications in a week to pretty please open the app to see what my friends were not posting anymore.
