It seems the outfit who wrote the Pokemon Go app were a little too closely associated with Google, and somehow used an authentication path intended for Chrome, which was capable of getting full account access. But it probably never did.
“”"
- Undocumented parts of auth flow are bad, and can lead to problems like this ambiguity
- The direct token that Niantic gets can’t access the gmail api / gcal api
- This token is overpermed, due to the https://www.google.com/accounts/OAuthLogin scope
“”" - from the textual explanation at
https://gist.github.com/arirubinstein/fd5453537436a8757266f908c3e41538
See also a sort of announcement but-not-apology at