ah; understood. assuming PEM leakage aside

the scope of the exchanged token is the scope of the installation (org / repo); thereby limiting exposure already

to further reduce the scope of exposure, the jwt would've needed to be exchanged with the specific `repositories` (given most installations are org scoped) and `permissions`

https://docs.github.com/en/apps/creating-github-apps/authent...