OAuth2 dynamic scopes vs policy based access

Problem

We need to do access control based on context path parameters and some payload parameters.

Eg 1 — I can read my accounts only

Allow — GET  /users/{userID}/accounts

Eg 2 — I can create the user in the account only if I am the account admin

Allow — Post /accounts
{ "member" : "user1",
  "account" : "account1"
}

Analysis

If we use dynamic OAuth2 scopes we may be able to address the use case, but none of these are access delegation requirements. As a solution for example 1, `users. Accounts.{userID}.read` scope attached with the token along with a simple scope check with a dynamically populated userID will address our concern.
This is an old concern as raised in 2018 for OpenAPI specification by Andrey Paramonov. As he also has pointed out, in this blog post by Vittorio Bertocci, he went on to explain in-detail why this is a bad idea. Main reasons are,

if we follow this approach,

1. we end up with so many scopes
2. authorization server have to keep track all the ways it can deduce on whether to allow a scope or not for token requests
3. token request traffic will also go high.