The difference here is the "grant full access" screen was never shown to users. That shouldn't be possible and speculation is that either the app somehow hijacked past the screen, or Niantic being an ex-google company was whitelisted to avoid this.

I can easily see how the second would happen, I wonder if Ingress (their previous inside google app) even showed up on your list of authorized third parties?

From what others have posted here, any native app that loads the oauth flow in a web view control or whatever it's called, has full control over it, and so can do anything it wants.