During discussion of this in our Picolabs meeting, it became clear that there was a serious flaw. Requiring SPA developers to somehow know which KRL functions to call with
/sky/cloud and which to call with
/oauth/resource leaks information, with all of the attendant risks. Many thanks to Phil Windley for helping us to understand this.
I have updated the proof-of-concept to outline a more general solution that doesn't leak information, with a postscript added today