There's a documentation for Azure Pipelines that elaborates what kind of authentications can be done to access GitHub repositories: GitHub App, OAuth and Personal Access Token. (https://docs.microsoft.com/en-us/azure/devops/pipelines/repos/github?view=azure-devops&tabs=yaml#github-app-authentication)
The documentation says that the GitHub App authentication is the "recommended" one but later it does not really turn out why this is the case... E.g. there is one interesting thing that worked with GitHub App authentication: Creating a yaml pipeline where you define a container ACR resource with a "latest" trigger. With the correct ARM Service Connection from the yaml somehow Azure DevOps is creating an Webhook for the specific ACR however if you use PAT it is not the case.
Is there an actual best practice for the authentication type? Or generally a good argument why one is better than the other?