Your private GitHub organization might not be so private . Without a third-party access policy applications are able to act on behalf of your users. This includes any scopes that the user grants permissions to the application- potentially including access to private repositories.