I am willing to think that Google performs fingerprinting on the OAUTH login dialog window, which if prevented, similar to the comment above regarding Firefox being unsafe, it would block login through OAUTH as it pleases.
It also straight up doesn't allow you to publish an OAuth application that uses “restricted” scopes (like `gmail.*`) without a review process subject to arbitrary usage guidelines determined by the Google APIs team. That’s the catch. It doesn't even matter how you run the OAuth flow (though I agree I suspect they fingerprint that too). You get blocked earlier.