It's pretty straight forward as to what's included with user.readbasic.all but if granted user.read.all, what's included in the "full profile" so I can asses the risk of granting this permission? Does it really grant access to everything listed here including password and password policies?
User.ReadBasic.All Read all users' basic profiles Allows the app to read a basic set of profile properties of other users in your organization on behalf of the signed-in user. This includes display name, first and last name, email address, open extensions and photo. Also allows the app to read the full profile of the signed-in user.
User.Read.All Read all users' full profiles Allows the app to read the full set of profile properties, reports, and managers of other users in your organization, on behalf of the signed-in user.
The User.ReadBasic.All permission constrains app access to a limited set of properties known as the basic profile. This is because the full profile might contain sensitive directory information. The basic profile includes only the following properties: