I don't like to defend facebook either but where does this end? Does google need to verify each email it sends in case it contains something illegal? Or AWS before you store something in a publicly accessible S3 bucket?

Here's one that we really don't want to acknowledge because it may give some sympathy towards Facebook (i do not work for them but am well aware of Cambridge Analytica);

Cambridge Analytica was entirely a third party using "Click here to log in via Facebook and share your contacts" via FB's OpenGraph API.

Everyone in their mind is sure that it was Facebook just giving away all user details and that's what the scandal was about but if you look at the details the company was using the Facebook OpenGraph API and users were blindly hitting 'share', including all contact details (allowing them to do targeted political campaigning) when using the Cambridge Analytica quiz apps. Facebooks fault was allowing Cambridge Analytica permission to that API (although at the time they granted pretty much anyone access to it since they figured users would read the popups).

Now you might say "a login popup that confirms you wish to share data with a third party is not enough" and that's fair. Although that pretty much describes every OAuth flow out there really. Also think about it from the perspective of any app that has a reasonable reason to share a contacts list. Perhaps you wish to make an open source calendar and have a share calendar flow? Well there's precedent that you're liable if someone misuses that API.

We all hate big tech. So do juries. We'll jump at the chance to find them guilty and no one else in tech will complain. But if we think about it for even a second quite often these precedents are terrible and stifling to everyone in tech.

Ideally, it ends with Facebook implementing safeguards on data that could be illegal to use, and having a compliance process that rejects attempts to access that data for illegal reasons.