This absolutely does make sense. Keeping things secure while still allowing access when desired is, unfortunately, complicated by nature. We do our best ta make it as understandable as possible but we obviously still have improvements we can make.
I assume that you’re talking about this screen here:
As you can see in my sample here, Travis is asking for access to both my public and private repos, read-only access to my organization membership and teams, etc. What you can see down at the bottom is a list of organizations, including
lee-doppelganger-org. The green check mark next to the
atom organization means that organization has granted access for that application to organization resources. The X next to
lee-doppelganger-org means that organization has not granted access, but because this account is an owner of the
lee-doppelganger-org organization there is the “Grant” button that allows me to do so right here.
If you want to ensure that OAuth applications that are not approved by the organization cannot access organization data but still allow them access to user’s personal data (if they choose), you can enable OAuth app access restrictions for your organization. New organizations have this enabled by default, but if your organization has been around for a while it may not be turned on for your organization.
I hope that helps and let us know if you have any questions!