Hey @Alan_G 
good to see you again.
Yes, adding documentation for understanding which access scopes are required for cart mutations/queries would be extremely helpful.
Basically, once you have a Storefront Access Token generated, you can create/manipulate carts without any additional scopes required.
This is where I’m stuck, I’ve tried creating a Storefront Access Token through the storefrontAccessTokenCreate mutation on the GraphQL Admin API, but the request is rejected due to permissions.
Please see my other post about permissions issues with creating a storefront API token here:
Since this mutation should create an unauthenticated SF access token, shouldn’t the mutation just work?
I’m reading through another Storefront API guide (linked below), it’s mentioning enabling the Storefront API on the Shopify store itself first.
Do merchants need to enable the Storefront API in their Shopify store’s setting in order for installed Shopify apps to leverage the Storefront API on their behalf?