With access_scopes you ask the user what endpoints you’d like to make a call to (to be able to make calls to). On the other hand, depending on which user grants you access, you’ll get his access scope in SmartRecruiters and your application runs on the access scope of this user (is able to get the data). See System Roles.
Example (bad scenario): your application requests full access and SR Standard user allows it. You then have access to all assets (you are able to call all the requested endpoints) but you’ll only be able to get data that this Standard (limited) user has access to.