I'm developing an add-on with the Apps Script project bound to the document (Form). And I have the Drive scope set to:
But I also have the scope:
The spreadsheets scope, gives broad access, and the spreadsheets scope seems to override the auth/drive.file scope when the code is doing anything with spreadsheets. Which means that the code has broad access to Sheets files regardless of the auth/drive.file scope.
For example, I used the following code to add a new sheet tab to a Sheets file, and the Sheets file was manually, newly created. So, the file was never picked with the picker, and it was not created by the script code.
function testAccess() {
var ss = SpreadsheetApp.openById('my new Sheets file ID');
ss.insertSheet('new test name')
}
The code ran with no error, opened the spreadsheet and added a new sheet. I would have thought, that the /auth/drive.file scope should have prevented access to the new manually created file, and generated an error. But it didn't.
I also put the bound code into a stand alone file, and used, "run" - "test as add-on" and got the same results. It's pointless for me to use the "currentonly" restriction on the spreadsheet scope, because this is a Forms add-on. There is no currently active spreadsheet for the add-on. It's a Forms add-on. So, I can't restrict access to spreadsheets with "currentonly". I don't think.
I guess the real test will be when I try to create a PDF file, which my add-on needs to do. That's my next test.