Filtering Scopes with Permissions (part 2?)

At there is some code for a rule:

function (user, context, callback) {
  var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
    return x.indexOf(':') < 0;

  var allScopes = filteredScopes.concat(permissions);
  context.accessToken.scope = allScopes.join(' ');

  callback(null, user, context);

It says “The code above will ensure that all Access Tokens will only contain the scopes which are valid according to a user’s permissions.”, but it seems to be simply concatenating requested permissions to the user permissions. I would have expected some set intersection, or some reduction in the requested permissions.

Here is similar question: Filtering scopes with permissions

Maybe I am reading the code wrong? Thank you.