Working on this further, I have found that the issue is not with the OAuth scope but the URL used for OAuth 2.0(3LO).
Referring this document : https://developer.atlassian.com/cloud/confluence/oauth-2-3lo-apps/
which says when using OAuth2.0(3LO), we need to construct the URLs in this format: https://api.atlassian.com/ex/confluence/{cloud-id}/{api}
but this format for the group-id APIs and user APIs gives 401: scope does not match error.
On the other hand, changing the url to :
https://your-domain.atlassian.net/{api} with the Access Token generated, works fine for all the APIs including group-id and user APIs.
Please confirm if this is a planned change(not reflected in the document) or still under development?