[ownagefool]

I'm not really sure I understand the is complaint then?

So the problem the OP is worried about is a SaaS provider using OIDC to federate to corp SSO and leaking data such as that within the id_token?

Otherwise, what's the leak here?

[tingletech]

iiuc, the complaint is still valid -- it's just that OIDC is what causes the attributes to be in the flow, not OAuth that causes the attributes to be in the flow.