Re: shortsighed on Github's end too
Then the control should be to "enable sharing of sensitive data"; i.e. installing the "plugin" should circumvent the normal rules which prevent uploading/sharing of private data.
Because bloatware is not entirely fictitious. And defaulting things to off, and then slowly enabling things you've had time to research, should be a policy that works.