Flutter App update of user metadata

Within my Flutter application I was able to get a JWT token for the management API and to use it to update the user_metadata.
In the Auth0 Dashboard I have 2 APIs:

  1. Auth0 Management API
  2. Auth0 Flutter user update API

At first I enabled the seconnd API only for read:current_user update:current_user_metadata create:current_user_metadata update:user_metadata create:user_metadata create:user_app_metadata update:user_app_metadata.
However in the first API, that as I understand is the father and controller, i can only see create:user_app_metadata update:user_app_metadata read:user_app_metadata.

This first configuration was not working, so I had to add to both APIs the update:user scope and permission

I have some very big concern now, I do not really understand the differences between the “scopes” tab and the “machine to machine” tab.
Also is not clear why in the father API I cannot see all scopes/permissions.

And there are some important questions too

  1. what does exposing the client_secret implies?
  1. with those permissions settings will every client be allowed to modify every user that exposes their ID in some way?
  1. how can I add the update:user_metadata only, to my second API?
  2. how can I be sure that each client can only update the current logged in user_metadata?