I *think* you’re right about there not being a data leak if there is no profile data being exchanged. If it’s true that you can skip the trust screen in those cases, that’d be a huge win.

The only catch I can think of (and I haven’t thought about this very deeply) is it might open up the possibility that an RP could identify you without you knowing. If http://example.com is a nefarious RP and had a good guess at your OpenID (or, actually, just your OpenID Provider), couldn’t they execute a login in the background? They would then know who you are but you might not know that they know who you are (until you login to your provider and see “example.com” on the list of trusted sites…