security – Can a script on Google Docs or Google Sheets really access all my Google Drive files?

I see this security risk listed in my google account security check-up:

“App details
Has access to:

  • See, edit, create and delete your spreadsheets in Google Drive
  • See, edit, create and delete all of your Google Drive files
  • Connect to an external service
    Display and run third-party web content in prompts and sidebars inside Google applications
    Allow this application to run when you are not present”

This is specifically a script in a Google Sheets file that requested access and I allowed it but when it requested access it didn’t say this was going to happen??

How does Google’s model for this work even? It doesn’t make sense to me that this would literally work like that.

I am asking power users of web apps because what I would like to understand is the security/access model that is used and I just cannot believe that it literally would work like this.