This doesn’t perfectly answer everyone’s concerns but wee actually have a mechanism in place to perform 3-legged oauth:
http://tools.ietf.org/html/rfc6749#section-4.1.1
However… there are some other technical concerns that we have to address there and the oauth2 section of our site needs more work in order to deal with it. I suspect it’ll be another few months before I have a chance to circle back around and address them.
In the meantime I’d just ask that developers take as much precaution as they can regarding the visibility of their client id and secret. Obviously right now you’d have to include both of these with your app and at the moment that’s the best you can do until I can provide you with more options.