Everyone here is arguing about what the agent could read but the leak only happened because it could write the data back out as a public comment on the issue. That is the half worth cutting.. You will never win the injection fight on the input side but an agent triggered by a public issue shouldn't be able to post public output containing anything it pulled from a private scope. The scary sounding permission is the read .. the one that actually leaked is the public write back.