Hi @enam - welcome to the Auth0 community!
Auth0 has built-in support through our Authorization Core feature (https://auth0.com/docs/authorization/how-to-use-auth0s-core-authorization-feature-set ) to restrict the scopes returned based on the user that is performing the authentication .
There is support for restricting scopes based on client application, but only in client credentials flows where it’s the client itself that authenticates (no end-user).
There is a similar community post discussion on this topic that you might helpful - Is it possible to restrict the scopes available to a SPA.