Disambiguation of documentation for Google as OIDC provider

I going through this guide on how to configure Google as OIDC provider.

In the first part, where no Google-specific configuration is needed, there is no mention about the setup of an OAuth application.

However, when going through the Google-specific configuration, (which I want to set up given that I want the information about group membership) there seems to be a need for the OAuth app to be of

external user type

Why is that? Isn’t this a security issue to have all gmail users being able to potentially access vault?