Thank you for the additional thoughts. These issues are critical for any developer to consider before spending time and effort on developing an add-on. There should be a careful Risk/Reward assessment done before deciding to develop an add-on for the general public using restricted scopes. In my opinion, it won't be worth using restricted scopes in most cases. If you aren't using restricted scopes, then that's different. Let's consider the worst case scenario for using restricted scopes.
- You could be charged $75,000 a year instead of $15,000
- What if the developer was charged $75,000 for publishing a new update that fixed a bug?
- You could be charged $15,000 the first year, and then be told in the second year that the cost will now be $75,000. So now you've wasted a year of your life for nothing if your add-on would loose money because of the higher fee.
Let's assume the worst case scenario. You are charged $75,000 for the security assessment. Then the day after your app launch, a user reports a bug. You want to publish a new update to fix the bug. You get charged another $75,000 to be able to to publish a new update to fix the bug. A week later, someone makes a feature request. You get charged another $75,000 when publishing another version with the new feature request. Now you've paid $225,000 within a couple of weeks.
The point is, that developers don't know what the risk ceiling is, or if there is any limit at all to the costs of security assessments. Why would anyone take on unlimited risk in order to use restricted scopes? The odds are very much against it.
If someone already has an established add-on that is bringing in money, and the add-on probably won't need bug fixes and feature updates, then it might be viable to keep using a restricted scope. There might be situations where using a restricted scope for a new add-on would be viable, but it would be extremely rare. The obvious consequence will be that developers will scramble to reduce broad access to user data in order to avoid the need for a security assessment. The add-on user will obviously be happy that the add-on can't have access to all their information. So, that's very good. There are good things about this situation.
Even if my add-on were making lots of money, and I could afford the security assessment, if I could decrease the functionality of my add-on marginally, and still maintain most of my users, then I'd do that. I can't believe that the third party security assessment companies are going to get much business from this.