Every SaaS app asks for OAuth permissions you don't understand and there's no way to see what they actually access

You sign up for a project management tool. It asks 'Sign in with Google.' You click it. A permissions screen says: 'This app wants to: View your email address, View your Google Drive files, Send email on your behalf, Manage your calendar.' You need the tool for project management — why does it need to send email on your behalf? You click 'Allow' because the alternative is not using the tool. You now have 40+ apps with Google OAuth access, each with permissions you granted years ago. You have no idea which apps still exist, which have been acquired, or which have had data breaches. Three of those apps were acqui-hired and their Google API access was transferred to the acquiring company — a company you never agreed to share data with. So what? OAuth was designed to give users control over data sharing. In practice, it is a 'click Allow or go away' wall. Apps request maximum permissions upfront because requesting incrementally is harder to implement. Users cannot practically audit their OAuth grants — Google's security page lists connected apps but does not show what data each app has actually accessed. The permission labels ('manage your calendar') are vague and could mean 'read your free/busy status' or 'delete all your events.' There is no activity log showing what an app did with its access. Why does this persist? OAuth scopes are defined by the platform (Google, Microsoft) and they are too coarse. 'Read Gmail' means read ALL emails, not just 'read emails matching a specific label.' Apps request broad permissions because narrow ones do not exist. Google and Microsoft have no incentive to add granular scopes because it would increase API complexity and reduce developer adoption of their platform.