The "scope" is not applied, but all user's permissions are used instead when the "Authorization Code" grant uses

I'm not sure if this is a bug or a feature, but it appears that "scope" does not limit the user's permissions when using the "Authorization Code" grant flow.