Just like what you quoted says, App tokens are not associated with a user so can only be used for server to server requests.
What this means is that ANY endpoint requiring a scope MUST require a User token because users are the only ones that can agree to scopes.
Even if you did try to generate an App token with scopes on it, they don’t do anything because App tokens aren’t associated with a user. For example you link a thread about subscriptions, if I generate an App token with channel:read:subscriptions scope, that doesn’t give me access to any subscriptions because it’s not tied to a channel, meaning there’s no channel that I could look at the subscriptions of anyway. I could give it the chat:edit scope which a chat bot would use… except that because it’s App token it wouldn’t have a username so can’t login and send to chat.
If you’re making any request on behalf of a user, needing to look up the user associated with a token, or are making any request that requires scopes you need a USER token. If you are making a request that you could otherwise make with just a client-id, but you want increased rate limits you need an APP access token (the only exception to this is the Get Webhooks Subscription endpoint, which REQUIRES an app access token for security reasons).
I hope that clears things up.