This solution is excellent. However, i would not say that scopes open to all the application is a limitation/bug for the product. NAM is working as expected and designed w.r.t this use case. I strongly encourage you to add a new IDEA (/cyberres/accmgmt/accessmanager/i/AccManIdeas ) . Or add an comment if this idea already present.
Thanks for providing a cool solution for this use case.