Application tokens should not have global admin permissions by default.

any app client credential is able to access all workflows and all tasks. There should be an option to restrict this access to allow app token to access only selected workflows and action its tasks along with delegates.