Hi AndreKR,
I’m happy to help. I’ve investigated this a little further and you’re correct the default OAuth scope when using GitLab as an OAuth service provider is very broad (full api access), it’s possible that the scope should be limited to read-only access.
Are you able to lodge an issue on the GitLab Community Edition repository - Please ping me (@MrChrisW) once created and we’ll get it looked into by a developer.
Thanks again for taking the time to help improve GitLab!
Chris