I agree sounds more like the contacts were imported through app permissions or something, unless LinkedIn found a real venerability in a common browser or leveraged some CSRF or XSS attach, but seems doubtful given it's Google. It's so easy just to accept the laundry list of permissions for common apps.
I'm doing some email outreach through Hubspot which requires access to my gmail so I set up a separate email so they don't have access to my main account. I don't believe Hubspot will do anything with my offline access token, but it's just one more system that has access, so better to follow the whole principle of least privilege.
I'm doing some email outreach through Hubspot which requires access to my gmail so I set up a separate email so they don't have access to my main account. I don't believe Hubspot will do anything with my offline access token, but it's just one more system that has access, so better to follow the whole principle of least privilege.