Hi Johan,
There are certainly any number of UI Tricks that can be used to improve the overall user experience. The problem with these tricks is that I'm building the API Layer, and it's big, and it's going to last for years. People I don't know and will likely never meet will be calling those API's, building UI's, and (hopefully!) providing unforeseen customer experiences atop them. I consider it my job in building the platform to make the job of the UI developer as simple as possible. The more I can do to shape the APIs and prevent the need for "UI Tricks" the more likely high quality UI's will result.
Pushing the preflighting to unknown developers and making them deal with preflight caching in Random Browser XYZ seems quite a bit to ask.
At this point, my preference is to pass the OAuth token as a parameter, and then (somehow) make sure the log files are properly scrubbed for security at the edge. Everything will be HTTPS, so at least the (potentially many) hops between the browser and my edge won't have access to see anything.
Cheers,
Chris