No matter which one of our users creates a custom app, nor app level vs enterprise access, nor jwt versus ccg, nor scopes is able to restrict the applications access only to the service account's data. Everytime I run "Get Current User" (no matter who created the app) it returns our enterprise admin rather than the service account and when I get all items from the root level it returns everything that is in our enterprise admin account (at the top level).
How can I create an app that can do the following :
1 : Create folders (either in a folder the service account owns or that is shared from someone else)
2 : Send collaborations from #1 folders
3 : Not access any data outside of what the service account has access to.