Currently credentials have to be in GLOBAL scope to be used by the github-branch-source plugin. For multibranch pipelines you configure the credentials to be used while setting up the pipeline and you cannot choose SYSTEM scope credentials.
As the credentials are in GLOBAL scope the value can be retrieved in plain text using the withCredential pipeline action. In addition to that the credentials have full write access to private repositories (repo scope). This is bad in our case as we provide Jenkins to multiple teams and they should be able to use the preconfigured read-only credentials to set up pipelines but they should not be able to retrieve credentials with write access in plain text.
My proposal would be to allow privileged credentials to be configured in SYSTEM scope for the plugin in the global system configuration. A user would then just have to choose the read-only credentials in the credentials setting while creating a pipeline. All privileged operations would be executed with the SYSTEM scope credentials, which could also not be retrieved in the pipeline.
I have played around with the implementation here and would be happy to open a PR in case you're interested