When Gearset first connects to a Salesforce org, it requests a range of permissions:
The primary permission that underlies this is the Modify all data permission. To use Gearset to deploy metadata between your orgs, the user you use to authenticate against the org must have this permission.
Why does Gearset need this permission?
As a deployment tool, Gearset needs the ability to read and write org metadata.
Within the Salesforce metadata API, there is no discrete permission for reading and writing just metadata. The only permission available is Modify all data . As a result, Gearset requests this permission when connecting to an org.
Regardless, unless you're using Gearset's data loader, the app will never read or write any org data.
Salesforce have mentioned the possibility of adding a Modify metadata permission in the API in the future. We will take advantage of this permission if it gets implemented in the future.
Can I control this access?
Gearset's access to an org can be revoked from within the org at any point by the end user, via the OAuth connected apps settings page.