Large companies have fallen into this trap [1]. So you are right that aud addresses the problem, but it's widespread enough to question if it really affects just coding camp content farms. Hard to grok is probably possibly in some way a design flaw.

[1] https://salt.security/blog/oh-auth-abusing-oauth-to-take-ove...