So, question: is AppleID based on OAuth? And yeah, I'm underinformed on these, though I'll stand by at least some of my concerns applying.

Amongst the problems of adding a megacorp's identification protocols is that those have a strong tendency to embrace, extend, and extinguish (<https://en.wikipedia.org/wiki/Embrace,_extend,_and_extinguis...>). See what's happened to email, RCS messaging, and for that matter, online and social services themselves.

Again, the federated Mastodon poses a far lesser risk of this, though if that project were to be compromised it could go pear-shaped.