Another issue with this is if organizations have some people that are admins in SonarCloud - if they create a token, it gets all the permissions of the user. Which means that administrators cannot really create tokens intended just for project analysis, because those tokens could change system settings as well.
A workaround can be to have a service user in SonarCloud (which would require a user in GitHub for example), and to restrict that user’s permissions to just create project & analyze project.
Since SonarCloud does not have project-specific tokens ( Project scoped analysis tokens for SonarCloud ) of course this means that any token can analyze any project.