Yes, one can certainly scope the permissions of API credentials to follow least privilege, but you cannot descope an account’s access when logging in interactively, and I think that’s the crux of our issue here.
In my observations, there is a lack of (meaningful) API endpoints in IdN that allow for ApplicationOnlyAuth. There are many use cases we have where a single team or account might need to perform a single operation, but in order to do that, we have to grant their account ORG_ADMIN to perform that operation. There are other vendors/platforms that are more permissive with their application-only API authorization, Microsoft being one of them.
Just look at the permissions required for the Entra ID connector. All but one of them are application API permissions.
Our auditors are not IT people, and they do not understand the intricacies of an authorization system, so we get questioned a lot whenever we provision all these accounts such broad access within IdN.