The whole approve design is a giant security hole when used with upgradeable contracts. Eventually it’s going to be abused and people are going to be shocked that tokens are disappearing from their accounts. The way most people understand is, I think, is approval for transactions sent by them, ie. approval when tx.origin = token address, but of course that’s not how this works.At least dydx and compound have upgrade delay now, but even with it, in the case of a hack many people wouldn’t be able to hear about it in time and their tokens would be stolen. Some “dapps” still have no delay.
Ideally, wallets would at least show the list of approved spenders, but due to how arrays are implemented in solidity, that’s hard to do, short of filtering all Approval events for all transactions to the token contract.