Our application uses the drive.file scope to make sure we only can see files of our users that have been created by our application.

However, a 'list' call returns files that have been shared with the user even though they are not created by our application.

That can be easily verified in the "Try it!" section of files/list API documentation. Authorize with drive.file scope and run a simple list query without any parameters. That should return an empty list but in my case returns dozens of files that have been shared with me.

There was the same issue before (a slight variation only affecting queries with q parameter set): Listing files with search query returns out-of-scope results (drive.files.list call, using drive.files scope)

It has been fixed in the meantime but now it seems to be back for all list queries. It's problematic not mainly because it breaks our app that expects nothing but its own files. There is the privacy problem because I can suddenly see the file names of our users' private data, which they have never agreed to.

I believe this issue is due to the behavior of API Explorer, not Drive API itself. If API Explorer already has a token with OAuth scopes capable of making the call, it will use that so if previously given API Explorer a scope that can see all user files, you'll get them all back. Try revoking ALL Explorer tokens for your account at:

https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en

then, after clearing all cookies/sessions for developers.google.com, try creating a new token with ony the drive.file scope and attempt your API call again.

You should also note that files that are publicly shared will be returned.