CircleCI only ever requests the minimum required permissions possible.
It is currently not possible to limit the required permissions for CircleCI to access your VCS provider account any further whilst retaining full functionality. This is due to us being bound by how the permissions models for GitHub and Bitbucket work as they do not provide granular permissions to limit scope.
We always encourage users with concerns about the permission models to reach out to Github and Bitbucket to express them too in the hope they will be updated in the future.
For a full breakdown of permissions requested, please see our documentation on VCS permissions.