Set org membership for user OAuth scope

Hi! I have a question about GitHub OAuth scopes that is causing some confusion.

I’m making a PUT request to the /orgs/{org}/memberships/{username} endpoint.

curl -X PUT '{org_name}/memberships/{username}' \
-H 'Authorization: token {token_here_removed}' \
-H 'Content-Type: application/json'

I am the owner of the org I am making the request for. And it’s returning successfully, but what is confusing to me is that I am able to successfully make the request with my current scopes at all. I thought it would fail.

The X-OAuth-Scopes header in the response is:
delete_repo, gist, read:org, repo, user, write:public_key, write:repo_hook

I thought I would need write:org or admin:org to take this action.

Looking at the X-Accepted-OAuth-Scopes header, I see it is:
admin:org, repo.

The only thing I can think of is that the repo scope allows this action. Also, for the scopes listed in the X-Accepted-OAuth-Scopes header, is it admin:org AND repo or admin:org OR repo?

Basically, how is this possibly working?

Thank you!