After a user reconnects its account (unselecting some scopes), previous subscriptions are being notified, even if the scope is not allowed.

Step 1: Connect a user and authorize all scopes.

Step 2: Subscribe that user to all collections doing this:

POST https://api.fitbit.com/1/user/-/activities/apiSubscriptions/id1.json
POST https://api.fitbit.com/1/user/-/foods/apiSubscriptions/id2.json
POST https://api.fitbit.com/1/user/-/sleep/apiSubscriptions/id3.json
POST https://api.fitbit.com/1/user/-/body/apiSubscriptions/id4.json

Step 3: User logs an activity and a food record on its account.

Step 4: Push notification for both values is received.

Step 5: User reconnects its account but this time, food scope is not allowed (unchecked).

Step 6: Check foods subscription

GET https://api.fitbit.com/1/user/-/foods/apiSubscriptions.json

Response: 
{ 
"errorType": "insufficient_scope", 
"message": "This application does not have permission to access nutrition data. Visit https://dev.fitbit.com/docs/oauth2 for more information on the Fitbit Web API authorization process." 
}

Step 7: User logs a food record on its account.

Step 8: Push notification (food) is received. Bug?

{
        "collectionType": "foods",
        "date": "2016-07-07",
        "ownerId": "XXXXX",
        "ownerType": "user",
        "subscriptionId": "id2"
}