Comment by LukeShu

He means that if they set cookies to only apply to the root, then you will have to log in to gist.github.com and github.com separately. Taking access away from the un-trusted code also means taking it away from some trusted code.