Also, it's easy for users to click buttons and go "ohhhh, wait, no!" and there ideally should be something to account for this case too.
Because of this, I'm extra attentive to what these scopes ask for and definitely don't sign up for anything that looks sketchy (especially the gmail stuff) - most recently TripIt asked for that permission (I suppose to scan my email in order to find travel documents). Even if I trust that TripIt isn't going to misuse that auth right now, there's no way I'm allowing that credential.
I kind of wish I could set universal auto-reject at the google account level of some auth scopes. Like, "I will never allow https://mail.google.com/ scope (or any of the https://www.googleapis.com/auth/* ones)".