Question about how ACP access rights work regarding the applications

Hello everyone, I am currently trying to understand how ACP works with ESS pods, in particular what are the basic permissions that are given to the authorized application.
The current state, I have an app and I have logged in with pod.
I have created a new solid dataset (which means my app has rights to do it) and was able to create a matcher and a policy and attach to that dataset, which means that my app had right to do that as well.
The thing that I don’t understand is what are the “default” rights of an authorized app?
Because on the login I would only agree to “see your WebId” and “run in background” and this is kind of different from PODs based on Node Solid Server where you would have a lot more things to tick on login (like modify existing data or give other apps and people permission and so on)