OAT Scope: Only show scopes for public API endpoints

[birkjernstrom]

Currently, we list them all including scopes such as webhook:read and external_organizations:* etc that are used by our dashboard, but not documented or intended for public consumption really.

So would be nice to have a whitelist of public OAT scopes to narrow down the list to avoid confusion.

[frankie567]

We should document webhook endpoints though, they are used by Zapier for example