> would be shared with an advertising partner

In this case Netflix was not an advertising partner. You were signing into Facebook Chat inside the Netflix chat, and participating in Facebook chat messages inside the Netflix app.

You were opting in and using the Netflix app as a Facebook Chat client. Its like being surprised the Pidgin executable could see your Jabber messages.

In the sense that some users may not have realized what they were allowing, that's fair. But that just implies that the permission dialog for this sort of thing should be pretty onerous while being very easy to understand.

There are details that aren't clear here too: Did Netflix request read permissions when you signed in via Facebook? If so, that's shitty and is worthy of condemnation, but the onus falls more on Netflix than Facebook there. You should be able to sign in with Facebook without expecting your DMs to be sent to Netflix. It's still on Facebook, but to a much lesser extent: They should make what's being shared super clear when you sign in with Facebook, and that includes making the sign in super onerous and scary if its something like reading DMs, so the user doesn't miss these details. And they should be reviewing third party apps and what permissions they request, and making sure its inline with the functionality the app is presenting.

However, if the normal Facebook authentication flow did not grant this permission, and the permission was only granted when the user accessed the "Netflix Chat" or whatever feature which obviously did, in actuality, require the read permission to function, then this isn't that big a deal.

That's not what the feature was. The feature was that you could use Messenger inside Netflix and Spotify to chat with your friends without leaving those apps. If you opted into using Messenger to chat with your friends inside Spotify, I'm confused why you think Spotify couldn't access your messages, given that Messenger was unencrypted at the time and you were running it inside Spotify. How else would the feature work? It's Messenger running inside Spotify; just like how iOS has access to the unencrypted files and network traffic of any app on your iPhone, Spotify could access any of the unencrypted files or network traffic in Spotify.

It's a dumb feature and I'm glad they killed it, but the "gotcha" here isn't much of a gotcha IMO. It was an opt-in feature to use Messenger inside these other apps; of course the other apps could see your messages if you opted into that. It's like complaining that GMail "shares your private email" with Apple Mail if you use Apple Mail as your mail client.

When you give your mail client credentials to read your email , would you not expect your client to be able to read your mail?

On Android, when you give a third party client permission to receive SMS, you don’t expect it to have access to your SMS?