The behavior is also weird for the client_credentials grant.
I’ve configure my custom API to grant my machine-to-machine client 1 of 2 total scopes. Then if I request a token using the client_credentials grant with that client:
If I specify no scopes in the request, the response includes the 1 granted scope.
If I specify the non-granted scope in the request, then the expected 403 is returned.
If I specify the granted scope in the request, the response has no scope field at all (no scopes returned).