After digging into this further, I'm able to understand the confusion. Due to the nature of scope approvals, your portal is able to approve the tickets scope despite not having access to Service Hub. This is technically working as expected, but I want to touch base with my team on this to make sure the correct portals can approve the correct scopes. I'll reach back out in this thread when I have more information.
We make a request to get a token with 'tickets' scope to a hub that doesn't have Service Hub (hub_id:2021855)
get https://app.hubspot.com/oauth/authorize?client_id=...&redirect_uri=http%3A%2F%2Flocalhost%3A3000%2Foauth%2Fauthorization%2Fhubspot%2Fcallback&response_type=code&scopes=contacts%20files%20tickets&state=...
We make a request to refresh the token and see what scopes are enabled: get https://api.hubapi.com/oauth/v1/refresh-tokens/…
response: Body: {"token":"...","user":"...","hub_domain":"...","scopes":["oauth","contacts","files","tickets"],"hub_id":2021855,"client_id":"...","user_id":889408,"token_type":"refresh"}
List of scopes includes 'tickets' even though hub 2021855 doesn't have Service Hub enabled.
If your integrations requests the tickets scope, only portals with Service Hub will be able to approve that scope. You can get info on that portal's refresh token to determine if they were able to approve the tickets scope.