How does that work, when you add an OAuth app, the resulting tokens are specific to that app having a certain set of permissions?

It's not a new attack vector as in giving too many scopes (beyond the usual "get personal details").

I am curious how this external OAuth app managed to move through the systems laterally.