It is easy to have category pseudo-scopes. I would recommend that instead of real wildcard (or “every future scope”) scopes.
They do not violate the OAuth specifications and do not introduce any new security considerations. In fact, requiring new scopes for everything has its own security considerations they can help mitigate to an extent (security fatigue).
Someone can submit a suggestion on user voice along these lines, and good luck to you if you do.