Some related suggestions: Action required: Update scopes for Forge and OAuth 2.0 (3LO) apps - #43 by tbinna
The exact same thing as highlighted in 1 happened to us as well. Since then we click ‘save’ each time we tick a permission.
Regarding 2, absolutely agree. If you have multiple apps and you need to manage scopes for all of them it’s really painful.
Alternatively, instead of selecting individual permissions, it would be much easier to select the API endpoint that you would like to use. Required permissions can then be inferred from that.