Having OAuth creds is a totally different thing than having access to your account. I support "Log in with Discord" on my site that uses the OAuth flow and the only thing I get out is a set of creds that can hit /user/@me and let me say "the user that just authed is this Discord user." Now discord.io could have asked for everything but the risk of some random integration is on average a lot less. To my knowledge absolutely nothing has the rpc scopes.
The good news is that even with every scope you can't take over the account and the service can just be removed cutting off their access for sure.
