Ah yes, of course. I did miss that. The implicit (client-side) auth flow gets the access token directly and doesn't need another request to the API, that's the whole point.
This is indeed rather unwanted, even more so
with the new more restrictive API usage policy and the sandbox.