The problem with many attacks is we've now been trained to do dumb things - like putting our password into webviews inside 3rd party apps - by reputable companies. So it doesn't feel as insane as it should do.
It's not just limited to webview's and tech companies.
When my bank calls me up about an issue with my account, they won't talk to me unless I give them my date of birth and email address for 'data protection' purposes.
They're always really confused when I say I will have to call them back.
oAuth outside a browser is just training people to be phished.