...but, like, why even offer an API at that point? Now every API-initiated PR is going to be suspect. And this will only work until the bots figure out the internal API or use the website directly.

Uh... i think Graphite (yay, stacking!) uses the API pretty heavily.

yep we do! another big use case for it seems to be big enterprises for their own internal tools - we see this a lot with our largest customers.

but the OSS use case described here is a pretty different case, what OP suggested may still be useful there