The token is
1) app specific 2) includes only access to specific things (e.g. not possible to make a Google+ post on the user's behalf or to read his/her contacts).
Now if some other app stole the token, it would be able to have same access as Aqua Mail does, at least temporarily, because:
- There is an "access token" which is only good for one hour (with Gmail and Hotmail), and then it expires. This gets sent to the mail server to log in, so in theory, it could be intercepted, and then used by another app.
- Getting a new access token requires a special call (web API) to Google, and the app has to provide a "refresh token" and also something called "client secret", a piece of info that is only known to the app and Google's servers. Someone could decompile the app of course.
So to summarize, OAUTH2 is not "perfect" for security, there are a few holes, but just because you granted Aqua Mail access to the things it needs does not at all mean that any other app is "magically" granted access to those things, let alone other things.