Default scope checking should be based on equality or inclusion.

But many APIs have scope situation that are more complicated. For example, Gmail's "full" scope supersedes the "compose" scope, but there's no way to detect that w/o external knowledge.

In this comment @craigcitro also points out a relevant situation re: bigquery.