In the sense that some users may not have realized what they were allowing, that's fair. But that just implies that the permission dialog for this sort of thing should be pretty onerous while being very easy to understand.
There are details that aren't clear here too: Did Netflix request read permissions when you signed in via Facebook? If so, that's shitty and is worthy of condemnation, but the onus falls more on Netflix than Facebook there. You should be able to sign in with Facebook without expecting your DMs to be sent to Netflix. It's still on Facebook, but to a much lesser extent: They should make what's being shared super clear when you sign in with Facebook, and that includes making the sign in super onerous and scary if its something like reading DMs, so the user doesn't miss these details. And they should be reviewing third party apps and what permissions they request, and making sure its inline with the functionality the app is presenting.
However, if the normal Facebook authentication flow did not grant this permission, and the permission was only granted when the user accessed the "Netflix Chat" or whatever feature which obviously did, in actuality, require the read permission to function, then this isn't that big a deal.
