+1 this a thousand times. The only way i have found to effectively lock things down is using an org and creating a new Github user just for third-party integrations.
Yes, though it has been a year or two. However it's more of a personal preference / fits within my normal work routine to use GH. I have a number of OS repos that, for community reasons, need to stay on GH, then most of my normal work is on GH which is generally where the concerns come in from a security standpoint.