I don’t know if the new Twitch friend system uses real stream viewer data (which would make it easy to implement) or also the chat users, but I think there are easy ways to see if the user is watching the stream (since the viewer count also displays the real viewers). There may still be ways to trick the system, but it’s definitely more accurate than querying the chat users.
About the privacy aspect: Maybe you could add a setting for the user to generally disallow listing his account in this type of request. Another approach would be to require a scope in the streamers account, so the API requester needs the “confirmation” of him, so your data is not completely public. Protecting the data with an additional scope on the viewer side is to complicated for some use cases in my opinion, even if I would be happy with this solution, too.