I mean, let me limit a token's access to only a certain repository or subset of images or whatever the service is, rather than anything in my account.

Separate accounts are a massive pain to manage by comparison.

It would be a valid security pattern if it was created under the org scope, but it isn't.

A "service account" on GitHub is just another user account tied to a real user with that users MFA (if MFA is enabled, and since we're referring to valid security patterns, it should be).

GitHub's organizational features are poor.