This is right. It’s not about scoping auth, it’s about preventing secret misuse/exfil.

(Moved from wrong sub)