+1 this a thousand times. The only way i have found to effectively lock things down is using an org and creating a new Github user just for third-party integrations.

Bitbucket is fast, and I believe focuses on repository permissions. Have you tried them?

Yes, though it has been a year or two. However it's more of a personal preference / fits within my normal work routine to use GH. I have a number of OS repos that, for community reasons, need to stay on GH, then most of my normal work is on GH which is generally where the concerns come in from a security standpoint.

I've done the same with creating multiple github user accounts . I think that is the only work around for some OAuth app integrations.