yarmo Good question... I had to create an account first and be logged in to upload my key, so I think it's safe to assume that if you find a public key in a user's account, that user (or someone authenticated as that user) put the key there.
I don't think anything prevents me from uploading someone else's key into my profile, but isn't that the same as any proof in keyoxide? For example, I could upload a github gist with someone else's key fingerprint... That actually surprised me - I didn't have to upload a signed proof anywhere to get keyoxide working 🙂 Though in this case maybe if I uploaded someone else's key I wouldn't be able to decrypt anything sent to me in keybase? That part I'm less clear on, but maybe there's more protection built-in to keybase than other proofs.
The assurance that keyoxide gives is less about whether the proof is cryptographically attached to the claim's PGP key, but more about whether the claim is signed by the same fingerprint contained in the proof, right? So in that respect it should be good? I'm not an expert in keybase though, just found it odd that keybase and keyoxide both have this same idea of "linked identities" but didn't know about eachother 😉