From what I read here, the problem is that EVIL.app can read your git tokens, too, without you having anything to say about it.

Yes, you want a system that allows sharing of those tokens between various tools, but you also want the user to be in control of which tools can share them.