The current documentation/implementation of composer allows for a large number of attack surfaces.
A "deployed" website[ie a website either installed using composer or a website which is installed from a downloaded zip file] should not have any need for the various development requirements - such as phpunit and other dev tools. Instead of requiring installers to remember to pass --no-dev to the commands - these options can be defined in the composer.json file [ie have a composer.json.dev and a composer.json.prod file - leave composer.json as it is in the github repository, but during the build process swap for the production/safer composer file].
By the same token, using the development version of vendor libraries adds yet more insecurity. A quick search for $_GET variables shows a large number of unsafe usages in the folder lusitanian/oauth/examples - with no fault to the library author. Examples and demo code do not need to be secure - it is expected that implementors would not deploy such code.
For the oath examples, they are protected by the htaccess files from direct access - however if Magento2 can be tricked into loading one that leads to security issues. Due to the reliance on the composer autoloading mechanisms such mischief is possible in theory.