But there's nothing in the spec that requires you to disclose that data to begin with.
And there's nothing they could write in the spec to deny that besides a perfunctory "please don't do that" which companies could ignore without consequence.
Sure they could. What you allow or deny would be enforced by the identity provider. The relying party simple would not receive the data and could not access it.
However, that’s really about OpenID, not about OAuth.
The spec could say something like "a client may ask for extended information but can't demand it unconditionally and must gracefully handle situations when access to particular fields is denied".
