Sure they could. What you allow or deny would be enforced by the identity provider. The relying party simple would not receive the data and could not access it.
However, that’s really about OpenID, not about OAuth.
The spec could say something like "a client may ask for extended information but can't demand it unconditionally and must gracefully handle situations when access to particular fields is denied".
The problem is that you can't make _everything_ optional, or else the user can deny everything and the application then has to tell the user "You denied X, but we really need it to proceed. Try again...", which is a definitively worse experience than having the grant request say "here's what this app is asking for".
This is anticipated by scope requested by the client being able to be ignored by the authorization server. This appears in the AAD flow for the user as a list of toggles. The application has to handle the case where the scope is less than what is listed - this is all in section 3.2. Actually defining what data or permissions is bound to what scope is rightfully beyond the goals of the specification.
However, that’s really about OpenID, not about OAuth.