> The HEAD method is identical to GET except that the server MUST NOT
> send a message body in the response (i.e., the response terminates at
> the end of the header section)

https://tools.ietf.org/html/rfc7231#section-4.3.2

Judging from that section of the RFC 7231 it should be safe to allow
HEAD requests in the read_api and read_user scopes