You're leaving out a very important part of the Cambridge Analytica story, which is "transitive permissions". "Normal" people think of transitive permissions very different from computer science folks.
That is, the vast majority of people whose data was sucked up by Cambridge Analytica did not explicitly authorize the app. Instead, their friends did, and at the time authorizing a third party app meant the app got to see everything you did, including all of the data about your friends. Now, you may argue that if you share your data with your friends that you're then at the mercy of whoever they give this data to, but I guarantee very few people at the time understood this - saying "I authorize Bob to see my FB data" is different, in most people's minds, to saying "I authorize Bob to see my data, and also any random app that can convince Bob into giving them access." Facebook was rightly pilloried for this permissions model.
Right, thanks for the demonstration about people on HN blaming the API rather than the user or the abuser too. Do you now see why the only realistic option is for platforms to not provide such dangerous unscoped APIs, or in cases where they do provide such an API, have rigorous security and purpose audits?
That is, the vast majority of people whose data was sucked up by Cambridge Analytica did not explicitly authorize the app. Instead, their friends did, and at the time authorizing a third party app meant the app got to see everything you did, including all of the data about your friends. Now, you may argue that if you share your data with your friends that you're then at the mercy of whoever they give this data to, but I guarantee very few people at the time understood this - saying "I authorize Bob to see my FB data" is different, in most people's minds, to saying "I authorize Bob to see my data, and also any random app that can convince Bob into giving them access." Facebook was rightly pilloried for this permissions model.