To protect your privacy, mark your events "Not Attending".
Update (06:00 PDT): So far, some people have reported that their events are exposed, and some have reported that they aren't. I don't have an explanation. I've sent a note to Facebook asking them not to expose events this way.
Note: This post is based on my observations as an individual Facebook user, curious to know what is revealed about me through the new API. I wrote this article to help others protect their privacy, and I am also in touch with Facebook's team, who is working to fix this. Although I work for Google, this blog represents my personal views and not Google's. Thanks to everyone for your interest.
Update (23:00 PDT): The Facebook API is no longer revealing event lists for the users mentioned in this article, or any other users I've tried. Thanks to the Facebook folks for improving their stuff!
Update (May 12): Please see the new FAQ about the Facebook API Browser.
Yesterday, I discovered something strange while playing with Facebook's new Graph API: the API was showing a list of my events, and it seemed that anyone could get this list. Today, I spent a while checking to make sure I wasn't crazy.
I didn't opt in for this. I even tried setting all my Privacy Settings for maximum privacy. But Facebook is still exposing the list of events I've attended, and maybe your events too.
What can your event list say about you? Quite a bit. It might reveal your home address, your friends' home addresses, the names and groups of people you associate with, your hobbies, or your political or religious activities, for example.
Here's what the Facebook API publishes about Mark Zuckerberg's events: