GCP - best practices for granting permission scopes

So the compute engine SSH example uses --scopes [https://www.googleapis.com/auth/cloud-platform](https://www.googleapis.com/auth/cloud-platform) for the VM service account, which feels like it’s overgranting a lot of permissions. Am I missing something here?

The best practice is to set the full cloud-platform access scope on the instance, then control the service account's access using IAM roles. from this link

From what i understood yes cloud-platform access scope is overgranting but you can narrow down the permissions using IAM roles