What if I want to guard business data in general?
This is an extremely broad question. The only thing I can really say is that OAuth2/OIDC don’t have anything to do directly with securing data. It’s the responsibility of the application holding the data to store it securely and restrict access so that unauthorized parties cannot read it.
OAuth2 is authorization protocol and OIDC is an authentication protocol. Together, they can be used by an application to help determine who is making a request and what the caller is allowed to do.
Trying to answer your second question, the assumption of OAuth2 is that a request is being made by a client authorized by an “access token” - the “scope” of that token can be used to determine what powers the token grants. If you control both the authorization server (that issues the tokens) and the resource server (that receives the tokens and enforces access) then you can issue tokens for any principal (i.e. user, system, etc) with any scopes you choose.