As someone who has recently developed an app with Google OAuth I'd like to second this. Google lets you register which servers the auth tokens can be used from, which means that even if the application database gets hacked your data is safe. Tokens are also rate limited at both the user and application level, which means that even if there is a zero-day attack targeting your web servers, you can set up monitoring software to automatically revoke your tokens so that no more than a tiny percentage of data is at risk of getting exposed.
Although it can be dangerous to implement your own OAuth as a provider due to the complexity of the protocol, if you're merely granting an app access to your Facebook or Google account then as a user the security story is quite good.
> Google lets you register which servers the auth tokens can be used from, which means that even if the application database gets hacked your data is safe.
This works when there are places of origin it can track but if you're handling tokens via a mobile device it's not as easy.
Regardless I wouldn't say your data is "safe". If someone broke into your system and you cached Google's data (which you probably did; federated queries suck) then your data isn't safe at all. Even the token can be re-used (I mean if someone broke in I don't see why they couldn't run stuff on the same server or even looking like it came from the same server).
Although it can be dangerous to implement your own OAuth as a provider due to the complexity of the protocol, if you're merely granting an app access to your Facebook or Google account then as a user the security story is quite good.