When an application is created in the API Console, the client ID & secret can be used to access every single type of CRM: main (production), developer edition & any sandboxes. These credentials can be used to generate an access token for any of these CRMs. This is a big security concern!

How are we supposed to be able to test API integration in our dev environment with credentials that (if leaked) could be used to access the production CRM?

When I create an application in the API Console, I would expect to be able to "scope" it to a specific organization on creation: any app using these "scoped" credentials should only be able to access resources belonging to that organization.