The CDR Support Portal knowledge article Mandatory Scopes Request suggests that at least one scope must be defined:
Can a Data Holder (DH) reject a request from Accredited Data Recipient (ADR) which does not have any data scopes defined?
The article Expected behaviour for scopes presented by an ADR to a DH discusses how to deal with various situations involving scopes. The final paragraph specifically states that a DH must reject a request that contains no scopes supported by the DH. A request with no scopes at all should be rejected on this basis.
A request with only the
openid scope should be accepted. While the request may not receive any shared data in response, the request could act as a test to check the authorisation response.