Hm good question, just by going in the flow graphic in
https://www.ory.sh/hydra/docs/next/concepts/consent/
i would say the end user first gets redirected and then consent info (including requested_scopes) gets fetched from hydra.
you may need to make sure that the client is allowed to request the scopes in the consent endpoint, but I am not 100% certain, will let you know if I have more certainty.