You have a scope of:
That scope permits:
Full access to the account, including permanent deletion of threads and messages. This scope should only be requested if your application needs to immediately and permanently delete threads and messages, bypassing Trash; all other actions can be performed with less permissive scopes.
Restricted scopes require a security assessment.
I can't believe that just removing
UrlFetchApp.fetch(url) is going to exempt you from getting the security assessment if you are using that scope. And if you are using scope
https://mail.google.com/, then it's pointless to list scope:
../auth/script/sendmail/
I'm not the person who can give you an official answer. (Good luck getting that.)
But according to the documentation, you need to get a security assessment if you're going to use scope.
Do you need to permanently delete threads and messages, bypassing trash? If you do, then you need scope:
And you'll need to get a security assessment. If just removing UrlFetchApp.fetch(url)
exempts you from getting a security assessment, then the documentation is wrong.