We used to list the minimal OAuth scopes required for Sameroom to work with HipChat in our documentation.
However, on a couple of occasions HipChat changed both the types and semantics of scopes, which broke existing Sameroom integrations. Since scoping is relatively new, and HipChat is doing quite a bit of work on the API, we decided simply ask for all scopes, for now.
We realize this isn't the best security practice, but we prefer to err on the side of pragmatism over pedantism when user experience is at stake.
That said, please rest assured: your fully-scoped OAuth tokens are safe—see our security overview for details.