Feature proposal: ability to prevent admins/groups from using non-trusted OAuth applications

Proposal

It would be a great defense-in-depth feature to have a setting to prevent admin accounts (or even whole groups) to connect OAuth applications which are not trusted.

Such a feature should prevent access for arbitrary OAuth applications which have scopes other than read_user, openid, email and profile as a measure against OAuth based phishing.