Another thing that curiously hasn’t been mentioned yet in this thread is the development cost of changing all apps that currently use basic auth to use Oauth2 and maintenance burden of adding and supporting Oauth2 as an authentication mechanism. Would @02JanDal (and all other people who I can’t be bothered to look up in related thread for the purpose of mentioning them in this somewhat satirical retort) be ready to write PR for all existing and future apps that attempt (or will attempt in the future) to authorize to OSM API, as well as promising that they will help maintain all those authentication libraries and associated code for the next 5-10 years including handling any security concerns exposed through this new potential attack vector?
P.S. I was under impression that @NorthCrab has already promised to deliver not only the Oauth2 (and as I understand it also PAT by his own suggestion here), but a complete rewrite of API in python (including all that functionality) as well.