Microsoft documentation is a nightmare, it doesn't surprise me there are vulnerabilities.
I recently built an SSO login using Entra ID (which was thankfully single-tenant) and I basically had to keep randomly stabbing in the dark until I got it to work with the correct scopes and extra fields returned with the access token.
Trying to search for any kind of Getting started guide just took me to child pages several levels deep full of incomprehensible Microsoft jargon and hyperlinks to helpful-sounding but ultimately similarly useless articles.
I'm pretty sure what you're describing is the fact that Microsoft return Graph scopes by default when you request a token, I agree it is very annoying and only really documented if you read between the lines...
I find this consistent across the Microsoft ecosystem. I thought maybe Copilot would have an edge, but it’s just as lost as us (which i guess makes sense..)