- You can't pull in private dependencies published from other repos (for example, packages published on repo A used as a dependency on repo B) without using a private access token.
- You can't use git pulls from other repos (for example, repo B using `orgname/repoA#123456` as a dependency in package.json) without using a private access token, and it's a pain in the ass to make it work across workflow steps.
- You can't allow Dependabot to run as a trusted user, which makes it impossible to actually use any of the workarounds for the above issues with it.
- You can't create PRs to publish changes across repos (such as automatically keeping some set of files in sync) without using a private access token.
There are other complications, but those are the biggest ones.
(There's a workaround for the dependabot issue though, use pull_request_target instead and explicitly check out the sha of the branch. Then the run can access the secrets.)
I would also add "you can't rerun single jobs" and "actions can't call other actions" to the list of grievances.