@mmt responding to your questions:

Am I wrong in my understanding that this project is accumulating the "Act on your behalf" privileges for more and more users? Doesn't that make the App a plum target for an exploit / attack in the future?

The app doesn't store any user information. No github user ids, no oauth tokens, nothing. When the OAuth token is issued it's encrypted on the Utterances server and sent to the client to be stored in local storage. When the client needs to post a comment it sends along the encrypted token which the Utterances service decrypts, calls the GitHub API, and then discards.

If the requested privileges are constrainted only to posting issues to the project using utterances then maybe the real thing that's missing is for the GitHub App authorization page to be more informative (i.e. saying what "Act on your behalf" means in detail).

The Utterances GitHub App only uses the "issues" permission. Read more about permissions in the github docs. The tldr; is signing into utterances results in a github oauth token that has permissions equivalent to the intersection of what the Utterances app can do (manage issues/comments on repos where it's installed) and what you can do. This essentially limits it to creating issues and posting comments where it's installed. I agree, "Act on your behalf" is pretty vague/scary, all I can do is assure you Utterances requests the least permissions possible and doesn't store your creds/information.