I haven’t tested it myself but it requiring specifically the broadcasters token is what I would expect.
A broadcaster has to explicitly grant who can edit their channel, either by going through the OAuth process themselves and granting a token with that scope to a 3rd party, or by selecting a user and making them an editor. If that editor could then go on to go through the OAuth process they could be granting any number of 3rd parties access to edit that broadcasters channel, potentially without their knowledge.