Allow files to be downloaded via the API when the only Application scope checked is "Read all files and folders stored in Box". Preferably as well users should be able to go into the list of apps authorized to access their files and enforce readOnly access as well.
It is a completely unnecessary liability for apps that only need to download files, and an unnecessary security risk for a User/Organization's data.
Erik Weiss commented
+1. You shouldn't need "write" scope for downloading files.