I mean, I know that such an open oAuth impl can lead to problems.

I could imagine an example scenario where @pixelfed moved towards a per-app approval process with a centralized curated list that app devs would only need to register once by default, obviously we'd keep the current open impl as an option, but this could prevent crawlers/3rd party services and other abuses

That was just an example, not saying we're going that way, but it's something to think about