I've a web application that uses the Google File Picker to select a file, and then internally my backend takes the fileId and calls this API to download it:
https://developers.google.com/workspace/drive/api/reference/rest/v3/files/download
In the meantime, I created a Google Cloud project and application, and started the process to verify it.
However, now I'm stuck since I requested the drive.readonly scope that is restricted, and I need a lot of complex stuff like security assessment etc.
The Google Verification Center replied to me to look about drive.file scope, since it's not restricted. However, even if in the developers page it's stated Requires one of the following OAuth scopes, so I suppose it's enough one of them, the API returns 404 if I try to execute with just drive.file scope, instead returns correctly the file if I use it with drive.readonly scope.
Is there a way to avoid the restricted scope and use just drive.file to download a file providing the fileId? Maybe I have to use another API or do something directly from the File Picker?
I found a solution and I think it's the only possible one: If you access the file from Google Picker, then you can also download it with v3/files/download using the accessToken used for the picker. I think that Google under the cover validates downloading that precise file that you selected with the picker.
But if you would like to download any file, that you don't access with google picker, then you need drive.readonly restricted scope