Please be more consistent in the approach that is used across the workloads for application level scoped permissions.
For example, for EXO, we still use the app permissions of Mail.ReadWrite, which clearly states it grants access to all mailboxes in the tenant (unless you use an Application access policy, which is not shown or even part of AAD). For SharePoint, there is a new permission called Sites.Selected which more clearly defines that the permissions is only for selected sites, not all sites in the tenant. This is a better model and should be used / implemented for all workloads that are going to support a scoped permissions model.
