Let me share an example. Let’s say there are 2 client applications — A and B which wants to use the API. A wants to use only read and B wants to use both read, write APIs. We have to create 2 OAuth agents, AgentA only with read scope and AgentB with read,write scope. When A requests an access token, it will get only read scope and similarly B will get both read,write scopes.
Let’s add a new requirement. B needs only read scope in certain scenarios and both read,write scope in other scenarios. In this case, the code should be written in such a way that B should request only read scope for certain scenarios and both read,write scope for other scenarios.
To summarize, the client application has to be written in such a way that only minimum set of scopes are requested.