Here is what one of our architects said:
The other option would be to encrypt and store the values in a custom claim. They likely shouldn’t be using scopes anyway, as that is how a user gives permission to an app, not an app gives permission to a user.
This blog may be useful: