We have an application which has accesses this endpoint via GraphQL. We get a permission denied when installed on a user repository, but it works for an organization-owned repository. Is this an oversight or are different permissions required?
Further testing indicates that the query works for the application owner, but not anyone else who installs the application. This seems really surprising.