There's plenty of manipulation out there (including by Facebook themselves), but I wouldn't consider an OAuth consent prompt as manipulation?

Cambridge Analytica may have lied about their intentions, but when requesting access, the Facebook consent prompt is very clear about what data would be shared. Why should Facebook be on the hook for CA's lies?

Being able to share your friends data or even your own so coarsely was a bad design. If it were me designing an API for Facebook apps, you'd only be able to present user data to users from packaged queries, none of the user data would be directly accessible to the app maker, and monetization would only be through ad display or in-app purchases. It'd be a much less popular API since you can't extract users data, but IMO, it's the only sensible form such an API can take.