I've definitely done this, but it's in a class of "the problem is between the keyboard and chair" 'exploits' that shouldn't be pinned on a particular tech or company.
It's the same as Apple telling people they're holding their iPhone wrong, though. Do you want to train millions of people to understand your new permissions setup, or do you want to make it as easy as possible to create tokens with minimal permissions by default?
People will take the path of least resistance when it comes to UX so at some point the company has to take accountability for its own design.
Cloudflare are on the right track with their permissions UX simply by offering templates for common use-cases.
No, Github is squarely to blame; the permission system is too detailed for most people to use, and there is no good explanation of what each permission means in practice.