A bit too late for a Christmas wish, but this was sticking on my mind.
If you’ve worked with Google APIs, you’re probably familiar with the idea of sensitive/restricted scopes. Sensitive and restricted scopes are scopes that Google believes access private data, so apps using these scopes need review. Sensitive scopes require review by a Google employee. Restricted scopes need a full on security audit, which can cost tens of thousands of dollars.
One thing I respect about Gmail (amongst the many, many things I respect) is that Gmail is pretty well scoped: to send an email (not to interact with drafts/sent/any inbox), an app can use the gmail.send scope. To do anything else with Gmail pretty much requires a restricted scope:
What I would really like to see is an auth scope that is neither restricted or sensitive, but only allows a Gmail message to be sent to the owner of the Gmail account. In other words, for the Gmail account to send an email to itself. It would be a good way for apps to send their administrator periodic messages without having to worry about spam filters, or for an user to essentially cosign for a website’s need to email them.
While I’m on my wish list for auth scopes, I wish youtube.readonly wasn’t a sensitive scope. I think it should either be non-sensitive, or broken down into finer grained scopes. For example, I’d love to see a scope that permits read-only access to an user’s subscribed YouTube channels