You're right! That probably makes is more feature request, less bug report. (extremely low priority FR)

Whatever bug is preventing the removal of phabricator.com from App Domains is at fault here. It's presence authorizes the entirety of the domain for the OAuth flows (unless overridden by "Valid OAuth redirect URIs"). We (Facebook) need to do a much better job of guiding developers through reducing OAuth attack surface - the redesigned dev site is noticeably worse in this context.

It's slightly convoluted, but once Phabricator has the app secret, it's able to check the configuration by obtaining an app access token.

Adding to the list of potential mitigations, I do think it's worthwhile to ask installs to explicitly whitelist the full path. It's tricky to identify all situations where these params leak through referrers or other means and using a single path is a healthy precaution. This would mean that any changes to the auth URI would be a breaking change to existing installs, so you'll need to decide if the URIs are sufficiently stable at this point.