The goal of the Attribute Query is completing the info that the app has from the IdP that was recieved in Response to the AuthNRequest.
The SP can make an Attribute Query Request to the IdP to complete info of the current logged user, but is not supposed to ask for the user or the group list.
What is the problem making a Rest Request to the Idp? If you use Oauth2 to protect the Tx all is ok.