Currently when authorizing a oauth2 client, the client is getting whatever scope approval the user is giving for their entire account. So for instance, if giving the ANALYTICS scope, then the client can fetch analytics data for every org that the user has permission for.

We should offer the option to specify the org the client has access to. It could be all or just one.

This still needs investigation but it's not a small change. We'd have to customize some of the oauth2 in links so it's specific. Also the graphql resolvers will need added checks. This would affect virtually every query/mutation so I think we want to lay out a solid plan before ever going forward with this.