Installing extensions in your browser is inherently insecure, you're trusting the authors of the extension with your data.

If you don't trust Refined GitHub authors, you can review the code, build the extension manually and run it locally.

The extension has access only to GitHub.com and any additional GitHub Enterprise instances you explicitly grant access to.

Refined GitHub only runs when those tabs are open, no code runs unless GitHub or the options page is open (with the exception of scheduled cache cleaning)

Most of Refined GitHub works as is, with only access to the DOM. Some features however require access to the API using your token.

It's recommended that you create and set a valid token to make the most of Refined GitHub. Some feature may stop working without it.

The token is stored locally in the extension storage and synced with your browser vendor, if extension sync is enabled in your browser.

Fine-grained tokens are not supported, see why

If your organization blocks personal access tokens, you can use the GitHub CLI to generate a token with gh auth login and gh auth token.