Facebook let you see nearby friends approximate location data and last active time.
It is pretty easy to write a script running 24/7 to monitor, record and plot these info, giving you a complete picture of user activity.
Should security engineers consider to rate limit the access to these data to avoid such scraping tools? (as no real user can be online 24/7)
As of today there haven't been any efforts from facebook to restrict such APIs, mostly because it'll not let people build legitimate products using such features or APIs.
In past people have already developed tools that profile user's activity using such 'leakages'. One prominent tool released last year is fb-sleep-stats. This tools polls user's messenger activity status every 10 minutes and then graphs their sleep patterns.
