imo this doesn;t feel like scam prevention, it's permission centralisation. the attack surface didn’t shrink, just moved upstream to whoever owns the allowlist.