It may have passed you by, it had me as I had not created a PAT for a while, but managing custom security for PATs in Azure DevOps is much easier since Sprint 140.
You now get some help to pick the correct ‘limited’ rights set by the simple grouping of rights.
We just need some more detailed documentation on what each option actually maps to permissions wise now to complete the picture