I have completed initial OAuth verification process for the scopes I have been using in the app. (see scopes detail below).
Now Google verification team is requesting CASA verification process as you can see in email screenshot attached too. So getting to my question, is this verification requested because I am using external_request scope? or there is any other reason behind it?
I published another app too with same scopes except drive and external_request scopes and it's successfully published. Thats why I am asking that some scope could be responsible for it.
Project OAuth Scopes 5 Scopes Requested
See, edit, create, and delete all of your Google Drive files https://www.googleapis.com/auth/drive
See, edit, create, and delete all your Google Sheets spreadsheetshttps://www.googleapis.com/auth/spreadsheets
Connect to an external service https://www.googleapis.com/auth/script.external_request
Display and run third-party web content in prompts and sidebars inside Google applications https://www.googleapis.com/auth/script.container.ui
See, edit, create, and delete all your Google Docs documents https://www.googleapis.com/auth/documents
As TheAddonDepot mentioned in this comment, it was the https://www.googleapis.com/auth/drive
scope that triggered the security assessment. Instead I will try to use https://www.googleapis.com/auth/drive.file
scope for now. It was also confirmed when I emailed google about this issue.