TL;DR there end up being two methods of "access" to GitHub repos with oAuth -- full permission including write and create repo, and.. uh.. no access at all? Something safe like "read only" through oAuth is impossible, which is kinda insane.