Why does a federated sign-in solution for a third-party web app need to authenticate to the homeserver or access Matrix APIs on the users behalf?!

That’s exactly what you want to avoid.

The bot can still get things shared by the user like username, avatar, 3pids and pubkeys.

Can you give me a use-case that my proposed solution is insufficient for due to inability to impersonate the user to the Matrix homeserver?