It sounds like Enable Role-Based Access Control for APIs might help you achieve this. Instead of specifying scopes in your environment.ts, users can be assigned roles that have permissions associated with the role. The permissions associated with each role can be added to the Access Token.
Also, here is an FAQ for assigning a default role to users automatically when they log in for the first time: How do I add a default role to a new user on first login?