NB Although someone could consider it "paranoid", I am treating this as "tidy and more secure"

ATM scikit-learn organization has suboptimal (insecure?) policy for 3rd party apps.
I could be wrong BUT I think that originally there were no granular way to grant or revoke permissions on per organization level whenever authorizing 3rd party services to access github repos, thus all old organizations (such as scikit-learn, @scikit-image, ...) have by default Policy: No restrictions on
https://github.com/organizations/scikit-learn/settings/oauth_application_policy .
This leads to the situation that whenever someone who has sufficient privileges for this organization to authorize some new 3rd party app, he just authorizes by default for ALL organizations he has authority over where No restrictions remains the policy. IMHO it is undesirable! So I started to go through organizations I have authority over and switching them over to restricted policy. BUT then it often requires granting access to previously authorized 3rd party apps which this organization uses. This can be done by going through "OAuth applications" in "Personal settings", going to each relevant 3rd party application (travis, appvayor, etc) and clicking "Grant access".

Since I am far from being a lead on this organization, and not familiar with current list of used 3rd party apps, I have decided just to raise concern and outline steps to be done, so you could decide on how to proceed. Feel free to close if you consider it a non-issue. I can't promise though that I (or someone else with sufficient credentials) would not at some point register to "ActuallyATrojan" or "BugsInjection" services for some experimental project, thus granting it access to this organization.

Cheers