Great point. Also there's a range of auditing – from code level audits or the inclusion of first-party analytics, to spot checks, to self certification.
I've undergone audits for "Sign in with Facebook" usage in the past on a small app (~50k FB auth'd users), and it was enough of a spot-check that they probably catch egregious mis-use with not a lot of effort.