If I were to add a /oz/redirect endpoint on the server (service provider) for redirecting to an application. Does Oz now have the same vulnerability as OAuth 2.0 as described here and here?

For example, an application were to try to redirect to the server using its application ticket credentials by doing GET /oz/redirect?to=https://myapp.com. The server authenticates the user, and redirects back to the application by doing GET https://myapp.com?rsvp=[insert rsvp here]. Does it matter if the hacker intercepts the RSVP using the redirection hack but does not have valid a ticket object belonging to the application or the application's Hawk credentials?

Why would you add a redirection endpoint?

I thought a redirection endpoint would be necessary for the steps 2 and 3 of the the workflow. So if a redirection endpoint is not necessary, how is the RSVP supposed to get to the application after the server gives the RSVP to the user? In other words, how does the user give the RSVP to the application?

Redirection is needed but you don't need a special endpoint for it. You just do it from the authorization page. The security properties are the same as in OAuth 1 and 2. You want to only redirect to previously registered endpoint.