In general you will need the same OAuth scopes for the webhook as you would for the corresponding REST API. The OAuth scopes are documented here: https://help.shopify.com/api/guides/authentication/oauth#scopes
Any app can register the app/uninstall webhook.
Right, but only read scopes are required, right?
For example, if I want to be notified whenever an order is created/updated, I wouldn't need the scope 'write_orders', would I? (since webhooks are only a read-only notifications)