I noticed this currently is using transition:generic for the oauth permissions.
This blanket allows all permissions to the account, which is now considered bad practice.
Consider using just the minimum app.bsky.actor.profile you need to get their profile information.
Heres some reference https://underreacted.leaflet.pub/3mjfozhlhys2z