Filtering Scopes with Permissions (part 2?)

At https://auth0.com/docs/architecture-scenarios/spa-api/part-2#create-a-rule-to-validate-token-scopes there is some code for a rule:

function (user, context, callback) {
  var permissions = user.permissions || [];
  var requestedScopes = context.request.body.scope || context.request.query.scope;
  var filteredScopes = requestedScopes.split(' ').filter( function(x) {
    return x.indexOf(':') < 0;
  });

  var allScopes = filteredScopes.concat(permissions);
  context.accessToken.scope = allScopes.join(' ');

  callback(null, user, context);
}

It says “The code above will ensure that all Access Tokens will only contain the scopes which are valid according to a user’s permissions.”, but it seems to be simply concatenating requested permissions to the user permissions. I would have expected some set intersection, or some reduction in the requested permissions.

Here is similar question: Filtering scopes with permissions

Maybe I am reading the code wrong? Thank you.