The only thing I really disagree with in the article is that security needs are opposed to a good user experience.
It is certainly true that security needs can sometimes get in the way of better UX although there is plenty of security that users never encounter. It is also true that the UX of many security designs is awful. However, it is not true to say that security requirements are opposed to good UX.
You can absolutely create good UX with good security, but it will require more effort. Improving your UX doesn't normally hurt security. In fact, having better UX can help security. Conversely, improving your security does not inevitably hurt your UX (although it certainly can if you don't give it sufficient consideration).
I think github is an example of those. 9 of 10 integrations just ask for blanket permissions. Effectively, "give us permissions to edit and make commits to all of your repos, and every other possible thing that's possible to do on github and in return we'll setup everything so our service works for you immediately"
Vs, here's 10 to 20 steps you can follow to give us the minimum permissions to use our service with a single repo. Go manually make repo specific tokens with specific permissions (10 steps) then go paste those tokens into our service (4-5 steps), now go add these actions to your repo (4-5 steps) and set these settings in that repo (5-15 steps)
So in this case, security is at odds with UX.
IMO, this is github's fault. Instead of providing an API and UX that would let users specify specific repos and choose specific permissions per repo, they did the more obvious and technically simpler thing. But, unfortunately, the more obvious easier thing, means the path of least resistance for integrations to do is ask for all permissions.
I would argue you could paint that as github has not made security their top priority. If they cared about security then the path of least resistance would lead to the most secure integrations instead of what they have now which leads to the least secure integrations.
That's a great example of where the design space gets harder and requires more effort to do well, but not that security is inevitably at odds with UX. Just that it gets harder to design well.
I think you're right about GitHub taking the most obvious route and prioritising UX over security.
Managing permissions and getting to least privilege is a huge problem in security. If you rely on users to do it, they will pretty much always assign maximum perms. It's too much hassle to figure it all out, and maybe have something break later.
Just spitballing, but maybe an alternate way would be for GitHub to require integrations to specify their least privilege permissions to operate in a manifest. Users would just approve an integration for whatever repos they like, and GitHub would set things up so it operated in least priv config for you in those repos. The user gets better security and a better UX.
Maybe that wouldn't work for some reason, there are probably loads of things wrong with it. But my point is that further thought about the goals of the user (which includes having a secure system) could lead to a much better UX and better security.
It is in the interest of the integration to ask for maximum level of privilege, since it future proofs their app, and there is no cost to them (security breaches are externalities they don't pay for).
My employer uses Microsoft as a single sign-on and the poor UX is a huge risk. People just get sick of endless shoddy login prompts and authenticator app warnings. It trains users to enter credentials without enough thought. Something like passkeys could be so much better. Security needs to consider unintended consequences of user behaviour much more thoroughly.
I don't know about impact on UX, but I do think it's true that security and convenience are opposed to each other. Increased security comes at a cost of decreased convenience.
I can't prove this is a fact, but I do know that I have yet to see an exception to it.
This is obviously true in a trivial sense. You don't want people stealing from your house, so you lock the door and have to carry keys, and get locked out if you forget them.
The need for security creates a set of additional requirements that have to be fulfilled. If you didn't have to fulfil them, things would indeed be more convenient.
This is also true of requirements in general, not specific to security. If you don't need them, things can be simpler and more convenient.
It is certainly true that security needs can sometimes get in the way of better UX although there is plenty of security that users never encounter. It is also true that the UX of many security designs is awful. However, it is not true to say that security requirements are opposed to good UX.
You can absolutely create good UX with good security, but it will require more effort. Improving your UX doesn't normally hurt security. In fact, having better UX can help security. Conversely, improving your security does not inevitably hurt your UX (although it certainly can if you don't give it sufficient consideration).