Only asking for repo:public_repo should solve for the "I'm not giving you private repo access" concern. (I'm not, either! Nothing personal, but if that stuff was ready for prime time it wouldn't be private.)
The "fine-grained token" beta is what you really want to use if you can, because that does give single-repository access, which classic Github OAuth tokens do not. No idea how or if it's possible yet to use that type of token in your grant flow, but that's where you probably want to be looking.
thanks for the details - I was looking at the fine grained token but the user would then have to provide me with the the token and then I'd have to store that on my end - since i'm trying to avoid storing any user data that doesn't really play into the structure at all
with regards to the public token thing it's a bit of the same complexity since I would need to know if the repository the user is using is public or private and then configure the OAuth scopes appropriately since I do want to have support for private repos (as that's how I use it currently)
You could keep a fine-grained token in local storage, maybe. Bit of a headache for multiple device/browser use, but I guess that's the tradeoff - lose adoption to mistrust due to Github making you request overbroad permissions with a classic token, or lose adoption to friction due to Github not yet making fine-grained tokens available in their OAuth grant flow.
It might get easier once fine-grained tokens leave beta. I don't know if OAuth support is on the roadmap for that, but it seems like a natural enough fit I'd be astonished if it weren't.