Add Calendars.ReadBasic minimum permission for getSchedule
getSchedule and list events require the same permission - Calendars.Read. This is too broad for getSchedule, allows the caller to list events, including the event subject/body.
Create a new permission: Calendars.ReadBasic. Use it as minimum permission to retrieve free/busy info only, which is sufficient to determine availability and scheduling meetings.
Exchange Calendar permissions and sharing policies have this. https://docs.microsoft.com/en-us/exchange/sharing/sharing-policies/sharing-policies.
Cory Smith commented
This would be a very good enhancement. Many enterprise organizations do not want to provide Calendar.Read permissions due to the ability to return subject/body. There could potentially be sensitive information there. This permission would limit to just the free/busy status of a user's calednar. This should also be an enterprise app perrmission. A calendar permission of Calendars.Read.Basic or Calendar.Read.FreeBusy would work well.
GetSchedule only shows the full schedule items of the user and not of other users. This makes perfect sense. The current signed in user should be able to read their own details.