[csallen]

The Gmail OAuth system pretty much grants developers unfettered access to your inbox. I built a service called Syphir on top of it that literally examined every email you receive, checked the subject/sender/body against some customer filters, and then acted on the email (starred, deleted, marked as read, delayed, pushed to your phone, etc). Google profiled our mobile app when they launched this service: http://googlecode.blogspot.com/2010/03/oauth-access-to-imaps...

There are two reasons they built this system: (1) So apps won't have to ask for your Google password. This password would give them access to much more than just Gmail. And if you wanted to revoke their access, you'd have to change your password, whereas with OAuth you can just flip a switch in your Google settings. (2) So apps won't have to do hacky stuff with curl to interact with Gmail. It's much easier to use an official API.

That said, if it's possible for an application to read/act on your email, it's possible for them to store your email. And if it's possible for them to store your email, it's possible for a hacker to hack it. So if you're going to use something based on Gmail OAuth, make sure you trust them and that they aren't actually storing your data.