Webhook lease_seconds not consistent

How could an App Access Token have access to a user’s Scope ???