It's Twitter's decision that each 3rd-party gets full "be you" permissions; they could choose otherwise and still use OAuth.
And the fact that everything done by a bad actor can be attributed to them -- for reversal or blanket punishment -- does add a lot of security, in addition to the party-at-a-time revocability.
And the fact that everything done by a bad actor can be attributed to them -- for reversal or blanket punishment -- does add a lot of security, in addition to the party-at-a-time revocability.