As of Sep 2025, if you just add:

/** @OnlyCurrentDoc */

at the top, and do not add any scopes in appsscript.json

you will get the minimal required permissions limited to the current doc and form for any installable triggers.