Quite right. I was momentarily blinded by the idea of being able to grant specific access rights to specific applications without giving them password access, but clearly if they control they web view you are doing this by, not much has been gained.

Twitter's API does not only service native (smartphone) apps. xAuth is always abysmal security; OAuth provides in some cases some increased security.

Which is the whole point of the argument:

OAuth makes sense for browser based applications/access from one web application to another. It makes no sense for native apps since those can still grab your credentials in a wild variety of ways.

If you agree with that, then you should see that the change from

"Choose xAuth or OAuth, based on preference and usage"

to

"Use OAuth unless you are the official Twitter client, if it makes sense or not"

is questionable.

These two arguments are separate. A malicious app that steals credentials (wait, in Gruber's world these apps are vetted, right?) is going to steal credentials whether it uses xauth or oauth. A non malicious app that uses xauth could in theory be exploited to reveal credentials whereas if it just used oauth it wouldn't be an issue of the same magnitude. It is a security win. You can argue the magnitude of the win all you want.