While generating Personal Access Token, how is it that the user is able to select any/all the scopes? Isn’t there any way to limit this, at least by an Org level admin? If not, how is this secure?
A user can’t assign more permissions to their PAT than they have themselves. Additionally, a PAT can’t be used for account-level access, so they can be easily revoked.
Do you want to share more about the use case that concerns you here?