I have a Google Docs Editor Add-on that uses the https://www.googleapis.com/auth/drive scope as a workaround, but I want to use the https://www.googleapis.com/auth/drive.file scope instead.

Ideally my user opens a Google Doc, then opens the add-on, and the add-on can only access that Doc.
The trouble is, part of the process involves exporting that doc to plaintext and sending on to another service.
I handle that part in a web service of my own using the Drive API.

My add-on sends its OAuth2 access token to my service (implicit flow), and the url of the Google Doc.
(You might say naughty naughty for not using credentials flow, but guess what, the Google Picker docs recommend doing the exact same thing so the picker doesn't show a second consent screen. It's the same idea for my app. I don't want to make them consent for the same thing twice. And I don't want to access their doc when the user is not present.)

The trouble is that my web app cannot access the Google Doc.

The reason is because the /auth/drive.file scope only grants my AppsScript app access to a doc if:
1. My app created the doc; or
2. The user selected my app in the Google File Picker.

Neither of these options make sense to my use case, or frankly, to any use case where a user wants to open a Google Docs Editor Add-on for just the currently open file.

How could I get my app to work with the /auth/drive.file scope, only one consent screen, and no file picker?