Change Graph API permissions requirements
Rick Volosky commented
Requiring an app to have Group.ReadWrite.All permissions to do anything even as simple as creating a task on an existing plan is extremely excessive.
This violates a cardinal rule of security: Least Privilege.
It definitely makes sense to make the Graph API permissions for Planner significantly more granular.