per oauth spec you get told what is shared. usually it’s just your user id (which often is email or username), i haven’t seen crazy scopes in the wild in a while
Some services even have an option to only share a dummy email and not your real. Apple for example does this, so all the site gets is “36382618161@apple.com” (don’t know the exact format). And it is only tied to your real email address on apple’s side
They do not, normally, unless you specifically allow that. Yet, indeed, many services enable/require quite permissive scopes by default.
so they mostly do…
per oauth spec you get told what is shared. usually it’s just your user id (which often is email or username), i haven’t seen crazy scopes in the wild in a while
Some services even have an option to only share a dummy email and not your real. Apple for example does this, so all the site gets is “36382618161@apple.com” (don’t know the exact format). And it is only tied to your real email address on apple’s side
Regardless of your privacy choices, if you are using a shared login, that activity is connected with your broader profile.