Demo application: Authorizing with no scopes

When authorizing the client without any scopes

... the following token is generated:

[{:id=>1,
  :account_id=>1,
  :oauth_grant_id=>1,
  :oauth_token_id=>nil,
  :oauth_application_id=>1,
  :token=>"z5wiK_CdosuvC5U6e0LGfFWZd2LYyR4IQQowWQ2vFc8=",
  :refresh_token=>"gAtZnJKVotkYbc61cDhRV4Hntv2I_OJW494sNN1cxGo=",
  :expires_in=>"2021-12-03 11:39:45 +0100",
  :revoked_at=>nil,
  :scopes=>"profile.read books.read"}]

Note that is has both scopes active, although I did not select any. Is this intended behaviour?