I got the same email from Google asking me to complete a CASA Tier 2 security assessment. They couldn’t give me a definite answer on which part of Duplicacy needs to be accessed (the Duplicacy CLI or the server code that connects to Google for authorization), nor did they have an idea about which scope Duplicacy should be using (the full drive scope vs the limited app scope)
Anyway I figured out that the app scope (https://www.googleapis.com/auth/drive.file) is enough for Duplicacy. For existing backups created with the full scope, we just need to copy the subdirectories to a new directory created with the app scope, and Duplicacy will have access to all files under these subdirectories.
So my understanding is the CASA Tier 2 security assessment is only necessary if your app needs the full scope (https://www.googleapis.com/auth/drive), and Duplicacy should be safe for now.