Over-reacted to second hand info and misinterpreted docs.
I do think OAuth providers (like Github, Twitter, Facebook, etc...) should do more to discourage apps from requesting write access. It PARTICULARLY disturbs me that admin:public_key is even an option in Github's Scopes. So the potential for disasterous outcomes certainly exists when granting access to apps via Github's OAuth system, but provided that you carefully read what you're granting access to, it's not necessarily as bad a my original post (left intact below) made it out.
During a twitter conversation[1] this morning, I discovered that in order for an application to get something as simple as your name during a single-sign on, it has to ask for full user profile information. That's a bit scary by itself, but when asking for full profile information, it also has to ask for read and WRITE permissions.[2]
Yes, in order to use single-signon to a 3rd party site, I have to give that site the rights to modify my email address list. A malicious site might otentially insert an address they control, which for an account without 2-factor authentication, means an easy take-over, and subsequent ability to poison any repos you control.
In OSS development circles, we call this "worst case scenario". Well done, GitHub.
1 - https://twitter.com/SaraMG/status/614518376572936192 2 - https://developer.github.com/v3/oauth/#scopes
Hopefully @Imgur looks at this and can comment. It certainly seems like a much saner approach to reading what is already public info.