Maybe you could just store the profile in the user's Dropbox (e.g. via the Datastore API). Then you don't have to worry about it at all... only the authenticated user can see his or her own data.
Otherwise you could just use the user ID. If you're doing this server-side, pass the OAuth token to the server, and on the server call /account/info
to get the user ID. Then just tie the profile to that user ID.