I'm currently building my own login workflow as described in https://developers.facebook.com/docs/facebook-login/manually-build-a-login-flow/.
Everything works like a charm but one tiny thing: At the moment my site redirects the user to Facebook with the scope parameter set to only email.
But then the user is asked to grant access not only to their public profile and their email but also to their friend list. When accepted and sent back to my site the scope parameter now also reads email, user_friends.
Is there a reason why this happens and is there a way to prevent this for the moment?