Thanks for the post! I can't point you at any other frames in particular, but for reference on the Dropbox side of things, there are currently two different file permissions API apps can use, "Full Dropbox" and "App folder". The first offers full access to the entire Dropbox, and the second offers access to only one folder. There are advantages to each, and the developer chooses whichever they believe to be best for their app when first registering the app. Dropbox API apps are written to work with a specific permission, so it's not possible for the user to change the permission from the user-side. Likewise, there isn't a way for users to allow access to a specific existing folder only. I certainly understand why that would be preferable though, so I'm sending this along as a feature request.
For reference, there are some less obvious reasons why even simple looking apps may desire full access. For instance, app folders cannot be shared, nor can they be placed inside shared folders or contain shared folders. While this offers a higher level of restriction, simplifies the experience, and eliminates some complexities, it can also present problems with some common use cases.
For instance, some users have two (or more) Dropbox accounts, (e.g. one for personal use, one for work, etc.) However, sometimes these users will want to sync some subset of their files (e.g., important items such as a password database) between both accounts, and use shared folders to do so. This would be impossible using app folder access, significantly reducing the value of the app to the user.
Also, one method we sometimes see, although it requires extra work for the developer, and extra UI and an extra decision for the user to make, is developers registering apps for both types of access, and allowing the user to choose which they prefer. (If you wish to see this available in the apps you use, I recommend submitting feedback to the developers of those apps.)
And of course, if you ever no longer wish to use an app, you can immediately and remotely unlink it via: https://www.dropbox.com/account/security