For example this piece of code (fragment taken from ), restricts the Macaroon usage to given account... Or does it?
M.add_first_party_caveat('account = 3735928559')
As far as I can see Macaroons have interesting ability to be adjusted by intermediaries to limit their scope. Say you have Macaroon that gives access to your Gmail account you can "attenuate" it to limit scope only for emails in the next 10 minutes without contacting third party. That'd be very useful for OAuth like flows...