You can’t create an account for Pokémon Go because the servers are overwhelmed, so the easiest way to play is to log in with your Google account. The problem is, the app asks for complete access to all of your Google data, apparently bypassing even the standard Google permissions screen.
Pokemon Go and Niantic can now:
Read all your email
Send email as you
Access all your Google drive documents (including deleting them)
Look at your search history and your Maps navigation history
Access any private photos you may store in Google Photos
And a whole lot more
What’s more, given the use of email as an authentication mechanism (think “Forgot password” links) they now have a pretty good chance of gaining access to your accounts on other sites too.
And they have no need to do this - when a developer sets up the “Sign in with Google” functionality they specify what level of access they want - best practices (and simple logic) dictate you ask for the minimum you actually need, which is usually just simple contact information.
Swift on Security:
Not great. Go here if you want to revoke access to your account. iMore recommends setting up a burner account.