Do not require AppRoleAssignment.ReadWrite.All for a service principal if the service principal is an Owner
It seems Service Principals that manage an Application's AppRole currently require AppRoleAssignment.ReadWrite.All Graph role, which would grant it write permissions on all applications. This would make this Service Principal an attack vector and essentially make it impossible for a security-conscious admin to grant this role.
Graph could check that the Service Principal making an attempt to create an AppRole assignment is an Owner of the Application (like it does when a User is requesting this operation) and avoid requiring the highly-privileged AppRoleAssignment.ReadWrite.All.
Discovered Application.ReadWrite.OwnedBy that kinda makes it non-issue, although I don't understand why it is required since in large org this involves scrutiny that could be avoided because Ownership still needs to be explicitly granted.