When you request an archive of your data, we send the download link to your primary email address (the required token is not available via the web UI). Once you click that link, you'll be asked to re-enter your password. So for this particular feature, an attacker would need both your GitHub password (and your 2FA seed or an active session if 2FA is enabled) and access to your email.
jwilk|7 years ago
The docs says it's "only available to authenticated account owners"; I hope it means you can't use a token for that, but I'm not sure.