> Finetuned permissions cost to implement. GitHub doesn't have them (maybe we wouldn't have seen this post if it had).

They exist for github apps, and they're being rolled out for PATs alongside forced expiration: https://github.blog/2022-10-18-introducing-fine-grained-pers...

Not sure there's any way for them to happen for oauth apps though. And even if they do, they're opt-in for the app and the old broad scope will remain. At best the broad scopes would only be accessible to old apps grandfathered in but that ain't much (there's probably a billion abandoned oauth applications you could purchase for that grandfathering).

Fine, put that behind my $x/mo account + service accounts.

$x/mo * Service accounts is dumb.

That's not a practical suggestion, since GitHub isn't self-hosted or open-source.