I happen to do some basic application for facebook, to see the capabilities. I dealt a little bit with FABML. The scary part of it is you can see what an application you are installing is capable of.

By default ( and i dont think people change default settings ), all the applications you install to your profile have access to your friends'list photos, profile info such as first name, last name, address, groups u 've joined etc.

The email, inbox, outbox, messaging system is protected. Ahh also people are selling their application database (which has ur and ur friend's info, photos etc ) in the forums

so just watch our for what u r installing ehh