Ok!

@mjg59 It feels like security has gone through a bit of a midwit meme:
[low IQ] If we make the tokens only accessible to the binary that created them, it will be secure!
[medium IQ] But an attacker could easily get them via a zillion other pathways, a partial security barrier is worse than no barrier because of the false sense of security!!!!!!
[high IQ] It will provide some level of protection from generic malware, and also increase the chance our D&R can notice a malicious actor!

@whitequark I have described the Linux kernel's build system as "a build system implemented in GNU make," so, seems normal.