I think it is great that Digital Ocean rolled out it's beta testing to provide custom scopes for personal access tokens shown here:
However, I think it is missing one hugely beneficial feature that could dramatically increase security in the event of a compromised token.
There should also be an option to allow tokens to only be used by authorized IP addresses and/or IP ranges. This way, attackers cannot use a compromised token to destroy resources regardless of customized granularity. It's a secondary protection layer to provide much stronger security.
Default setting should of course be to allow all IP ranges, but if a token grantor wishes to have greater security, allow them the option to limit it only to authorized IP addresses (ie. the IPs of their droplets or other resources from where they anticipate making the API calls).
The token-creator should be able to customize that IP list and/or IP range(s) accordingly.