Yeah I predict that a bad actor is gonna attack the channel itself rather than the auth.grant vector.
Since in a lot of cases there is no expectation that devs use the grant topic.
But will use something like the follows endpoint, which is “easier” to abuse via follow flood. Which Twitch itself is working on resolving.
Given a follow flood can be legit (big raid into a smaller streamer for example).