Does a GITHUB_TOKEN work the same way, with a maximum of my permissions?
No, the GITHUB_TOKEN does not have the full access.
As you can see the introduction from the docs shared by @nethgato about the GITHUB_TOKEN, the permissions of GITHUB_TOKEN are limited to the repository that contains your workflow.
And even if in the workflow repository, the GITHUB_TOKEN also does not have full access, for example you can’t use the GITHUB_TOKEN to add, update or delete workflow files.
Many APIs related to workflows require the authentication token has the ‘workflow’ scope, but the GITHUB_TOKEN does not have this scope.
The GITHUB_TOKEN is generated to authenticate on behalf of GitHub Actions, no matter who triggers the workflows, the permissions of the GITHUB_TOKEN is fixed. Normally, its permissions won’t be different according to different users who trigger the workflow.
My ultimate question is, could somebody who doesn’t have access to a repo initiate a workflow action that needs a GITHUB_TOKEN and have it run and make changes to the repo?
To trigger a workflow in a repository, the user should be a collaborator with Write permission in the repository. Normally the external users can’t trigger workflows in the repository.
If the external users use a pull request to trigger workflow from the forked repository, the GITHUB_TOKEN only has read permissions for some scope.