Would this really be so bad?
- When you create an app, it should declare which permissions it actually requires to function (disabled, ticked checkbox) and which it desires by default (ticked checkbox.)
- Everything not required is optional/user definable.
- Permission to posting a tweet is separate from other, private profile writing operations, since it's so socially destructive.
- Apps would never be allowed to require posting permission (if denied, they fall back to generating a URL the user can use to manually post through the Twitter website.)
- I think this also makes the permissions/capabilities copy clearer. Bonus.
Edit/Update: A little discussion between OAuth contributors broke out on Buzz in response to this.