When requesting a token (with an login endpoint) I would like to limit created token to operate only on selected collections and perform only limited actions.

Reason: There may be a USER who is a SYSTEM/CLUSTER-level user that is owning multiple collections for multiple applications in his/her cluster. A Backup Maker Operator could assign credentials dynamically during backup execution, and every ScheduledBackup can get its own scoped JWT that would allow to upload only to its own collection

In short words with this pattern we could allow to create a better isolation on application level in same user account.