Oh, no. I’m not suggesting to “grant the upstream repo access to your secrets.”
I’m suggesting that your secrets are used only for that one PR test sent at the time the PR is created. This would be the same CI test ran on your own fork (for the same commit) prior to the PR. Future changes to the upstream branch would not use your secrets.