Let’s continue the discussion here, rather than Authentication Flow, as it is more applicable to here than to the flow itself.
I agree with you and we have considered this case. In particular to make requests and permissions based on Regular Expressions for keys. So, you could ask to only retrieve all files matching safe-* or allow write requests only based on those.
In order to be able to finish something, we have left this out for now, but it designed in a way to allow this extension later. However, this isn’t going to be trival to make happen, once you incorporate the encryption, which is transparent to vaults. It makes keys random and hard to match. Thus it would only work for unencrypted data, which we assume to be the smaller amount of data, actually. So, that’s a problem.
So, we’ve pushed this idea down the road. Getting this system done for now and seeing how we want to extend it specifically once we have gained more experience how this behaves and what apps need.