You only need “Access Direct Messages” if your app works with DMs, otherwise - “Read and Write” is enough to post tweets on behalf of the user, create lists etc. If you are just collecting data and not posting anything “Read Only” is enough. You can also request visibility of a user’s email address https://dev.twitter.com/oauth/overview/application-permission-model
You can change the access later if you need to - but remember that tokens created before the change in permissions will need to be created again.
