Even with instant personalization turned off, your friends can share your info on any service they get suckered into using. Given how many of my Facebook friends bombard me with quizzes and Farmville, I'm guessing that's going to happen a lot. You have to block each application individually.
Moreover, any site can display your profile information. http://cnn.com even seems to combine it with what CNN stories they liked recently, which makes me wonder how much data they can read back. Has anyone taken a look at the Facebook social plugins to determine how much data, if any, you can get out of them?
That's true for the social plugins, but if you've authenticated with the site (e.g., click the "log in" button at the top of any CNN page and log in with FB), any 3rd party running javascript on the page will have access to all of the data you've allowed the parent site to access.
Facebook uses their parent-child-parent iframe tricks to assign a first-party cookie for the host ___domain. This cookie contains the Facebook user id and the OAuth access token used to make requests to the Graph API.
Any javascript running on the page can snatch that cookie and send the data back up to its mothership, which can then impersonate the host ___domain to make API requests on behalf of the user. Fun stuff.
Moreover, any site can display your profile information. http://cnn.com even seems to combine it with what CNN stories they liked recently, which makes me wonder how much data they can read back. Has anyone taken a look at the Facebook social plugins to determine how much data, if any, you can get out of them?