Read-only access to branch protection via API

I would like to use the API in a reporting tool to verify the protection on branches in private and public repositories in my organisation: GET /repos/{org}/{repo}/branches/{branch}/protection.

I want to create a personal access token for a user which has owner access but then set the scopes up so that the token can only be used to read data, not update. It seems the only scope which works is repo but that gives full access. This seems risky for something which is just running a report and is not acceptable to the organisation. Is there a scope or a user role that would work? We are using GitHub Team - I’m not convinced that moving to Enterprise would help.

See also Enable Branch Protection GET API Without Admin