Using the pull_request trigger defaults to RW permissions for local PRs and RO permissions for forked PRs. And using the pull_request_target will default to RW for both.

The use of pull_request_target is a security issue and an opening for malicious code