"It wouldn't be a far fetched thought for someone to have constructed a, say OAuth 2.0-esque URL which, when requested, would result in the deletion of a resource, as an example to a colleague"

That does indeed sound extremely far fetched to me. Or even impossible. Can someone who knows more about OAuth tell me if this is realistic at all?

The proper solution to these sorts of problems is end-to-end encryption, be it OTR or GPG. Unfortunately, encryption is work (you at the very least have to authenticate your buddy once), and the general public doesn’t really seem to like work.