Oh, you can play around with that URL and the scopes too to see how the permissions are affected. Eg change "user" to "user:email". See http://developer.github.com/v3/oauth/#scopes for a list of all the scopes.
Why do you need "write access" to my "private email" (I don't even understand what does it mean — can you change e-mail address I use to log in to GitHub!?)
GitHub's "scopes" (permissions, see http://developer.github.com/v3/oauth/#scopes) are very coarse-grained. So in this case we need to occasionally (via opt-in) add an SSH key to your account, but that permission isn't covered by a fine-leveled scope, so we need the coarse level "user" scope.
Would be nice if they made the permissions more fine grained.
For example split the 'Public repositories and organizations': instead of granting access to all public repos, grant access to only specific repositories.
Yes indeed. CircleCI needs read-access to the repos you need to test, and the ability to add a read-only SSH key to those repos.
Unfortunately, the only way to get that is to ask for read- and write-access to all private repos, which makes nobody happy (see http://developer.github.com/v3/oauth/#scopes for the actual options).
We lose so many users due to the permissions we need at https://circleci.com, this is going to be awesome!