Scopes for each type are noted on the relevant Type here EventSub Subscription Types | Twitch Developers
You need a server or something that provides an oAuth flow to do the initial grant.
It is possible to do the initial grant via an implicit oAuth flow, which generally only needs a locally hosted webpage to capture the response access token.
EventSub over websockets will use a user token which you can easily get with an implict oAuth route.
So EventSub over websockets, can/will work the same as doing oAuth/calling the API if you have no server.
The only “issue” you have is the setup to get a token. In this example a lot of people use a third party token generator and copy/paste the token in, which is not advised.
So you could provide a web page that users auth your client on, that displays the token and then they user copy pastes the token.
For example: Twitch Implicit Auth Example this example will do an oAuth loop and return the token to the user. Which they could then copy/paste into your program that does the EventSub websocket. And since this only uses a clientID it’s safe to put it on a “server thats not mine” such as GitHub pages.
So, in short, you still need a server/method to get a user oAuth token, regardless of how you use the “private” Twitch API endpoints and topics.