When I create an OAuth App, there is “Scope” setting to control what the app can access and do. See the attachment.
When I create a JWT app, there is no such setting for JWT app. See the screenshot. I wonder why this setting is missing from JWT app. It is kind of security concern that a JWT app can do anything without way to constrain it.