Everyone here is arguing about what the agent could read but the leak only happened because it could write the data back out as a public comment on the issue. That is the half worth cutting.. You will never win the injection fight on the input side but an agent triggered by a public issue shouldn't be able to post public output containing anything it pulled from a private scope. The scary sounding permission is the read .. the one that actually leaked is the public write back.
The actual damage comes from volume without accountability.. no attribution, no source no way to verify. The same problem existed with content farms pre AI it's just cheaper and rampant now. Communities that survived content farms did it with one rule.. cite your source or get removed. That still works. but again the irony is that the source could be some ai slop..
OpenAI API has had 7 incident-days this month. Anthropic has been relatively clean outside this one. The frustrating part is you usually find out from Twitter before the status page updates.