Under the covers, a GitHub org and a GitHub user’s account are almost the same when it comes to API calls, in the sense that CircleCI accesses them.
The Private access we need boils down to how GitHub Scopes work. We need “private access” to be able to see what repos you have, who the members are, and to add deploy keys and hooks.
Here are the permissions we request and use
The one that makes folks nervous is the “Full control of private repositories”
That’s actually the repo scope, which is required for us to see any of your private projects. We do not write to or edit them.
You can see more on GitHub Scopes here https://developer.github.com/apps/building-oauth-apps/understanding-scopes-for-oauth-apps/