[andrewstuart2]

That doesn't mean oauth2 isn't still the best practice. I'd go as far as saying OIDC is best practice for oauth2 as well.

What you're saying is orthogonal and more about figuring out how to effectively manage users and the accesses they can grant, how easily they can grant certain permisisons, how often they should review access, all that.

Facebook has had issues there, and I'd say Android has also had issues with similarly vague/permissive grants (local-only, completely outside OAuth2), and has learned ways to proactively manage those for users and keep sets of permissions minimized to apps you actively use/want. But none of those really has much to do with whether or not oauth2 is a great way to allow third party access to user resources. That remains a really solid control mechanism.