I completely agree. Hence I said it's temporary. When you have a huge influx of paying customers who cannot log in to do their work, you have to balance that a bit.

It doesn't seem too bad when enforcing https (using the return address whitelisting in the developer console). Am I missing something?

Customer will see token anyway

Ah yes, of course. I did miss that. The implicit (client-side) auth flow gets the access token directly and doesn't need another request to the API, that's the whole point.

This is indeed rather unwanted, even more so with the new more restrictive API usage policy and the sandbox.