Yes, unfortunately it is true. Sad, but I could live with that.

What in my opinion is unacceptable is that it requires you to give permission to "read your organization and team membership and private Projects".

I made a separate GitHub account (weinzierl-trusted-publisher) for crates.io which is far from ideal, because it works completely against the idea to build trust for a single unified identity online, but ¯\(ツ)/¯.