Create more granular accounting scopes (eg: Sales - Invoice only)
Right now there is a very wide range of APIs wrapped up in the "accounting.transactions" scope, with no way to provide more granular access within these APIs (https://developer.xero.com/documentation/guides/oauth2/scopes#organisation-scopes).
This means that it's not possible to grant access to something quite narrow without also granting access to other things that are often not needed. For example, you cannot grant permission to creating/manipulating Sales Invoices without also giving access to all Bank Transactions at the same time.
This problem is perhaps accentuated for Custom Connections, which are designed to be used for "in house" integrations, as ALL developers with access to maintain such a sales invoice integration would effectively have access to their colleague's salaries and company bank balances and nothing can be done to mitigate against this.
It feels like either there should be an extra layer of scopes such as "accounting.transactions.invoice" or "accounting.transactions.sales" available.
I would also think this is quite easy to implement!

-
HC commented
It is a significant issue for us that we can't grant some users access to create/see invoices only via the API. Our users are effectively over permissioned and we have to ask them not to look at sensitive information (such as account reconciliations). It's not a nice state to exist in.