I disagree, you can ask for every permission approved for any client-api pair using the .default scope