Scope checking should be sets, not lists

From https://github.com/Flowminder/FlowKit/pull/6581#discussion_r1595142083

> It's compared to other lists when we check it against the requested scopes; now I say that, a set would be better there too, but that probably belongs in a different PR

Given that there's no reason we need duplicate scopes, it's probably sensible to be passing scopes/permissions around as sets instead of lists