It doesn't leak or provide the SQRL Public Key at any point during out, the OAuth Flow is actually fairly privacy aware, the server only ever sends back Auth Code and Auto Token that's the only data going out of the server to the individual sites.
The get user info end point does return some...