It does work by setting it to public and never verifying it.
It works like that indefinitely, it just shows a warning when you login saying it’s unverified.
Checkout the thread here. This has been discussed a lot in the forum
If you need to limit your scopes then just dont add those scopes in the google api console. You need to manually add in any scopes you want to use.
If you want more control over the scopes, you can use generic oauth credential and set your scopes manually, but then you need to do the requests manually through the http node