Exactly. The system should run in a forcibly limited scope of the current repo only or add permissions for scope to include other org/user repos.

It can't leak a private repo if it can't open it to begin with.