Ah, nice. Those have definitely been improved since the last time I made a site that used Facebook login.
2 years ago it use to be a data-miners paradise, you could grab almost all users data plus all data that their friends shared with only friends, it seems like they've updated these privacy permissions as well.
Apps do still have access to photos that I'm tagged in that I've got hidden as best as I can tell is possible, not even Google has access to that information.
I think there is an option for the same kind of control when approving an app as well (on the web at least)