We are using trello boards to list the tasks and their status. While working with an agency who has lent us developer, I proposed them to link branches to our trello tasks using Github powerup for trello.

To which they replied: "After such linking, Trello can see all our repositories from all projects."

I researched for a good answer or an explanation to provide them. I found that this powerup generates a request via access token which provides data in json to be used for later selection and attachment of branch or commit or issue or pull request

That response has the following data:

archive_url: "https://api.github.com/repos/xxxx/yyyy/{archive_format}{/ref}"
archived: false
assignees_url: "https://api.github.com/repos/xxxx/yyyy/assignees{/user}"
blobs_url: "https://api.github.com/repos/xxxx/yyyy/git/blobs{/sha}"
branches_url: "https://api.github.com/repos/xxxx/yyyy/branches{/branch}"
clone_url: "https://github.com/xxxx/yyyy.git"
collaborators_url: "https://api.github.com/repos/xxxx/yyyy/collaborators{/collaborator}"
comments_url: "https://api.github.com/repos/xxxx/yyyy/comments{/number}"
commits_url: "https://api.github.com/repos/xxxx/yyyy/commits{/sha}"
compare_url: "https://api.github.com/repos/xxxx/yyyy/compare/{base}...{head}"
contents_url: "https://api.github.com/repos/xxxx/yyyy/contents/{+path}"
contributors_url: "https://api.github.com/repos/xxxx/yyyy/contributors"
created_at: "2018-09-06T13:32:41Z"
default_branch: "master"

and lot more.

So what is a better explanation to provide them? Trello does store access_token of course^ and that allows trello to access all my git data anytime. 

I would appreciate a legal explanation for this, or are they right? Does this powerup really leaks everything?

^1 : I verified it by opening trello in incognito, the power up was still there and had access