Clarify Oauth default scope

[teoulas]

Our docs mention:

About scopes: Oauth allows you to request different levels of access to a user's account. By default all applications are granted access to the public scope.

This is misleading, however. We default to "public" only if the API client does not request any other scopes, according to the doorkeeper wiki.

[joeyhorst]

This is dealt with in https://github.com/GRESB/api-docs/commit/b251a45ee73452304c0a42fca92428c743352142