Doing that requires write access if you're a Github Application. You can't just fork repositories back into another org, since Github Applications only have the permissions of the single organization that they work with. Rulesets that prevent direct pushes to specific branches can help here, but have to be configured for each organization.

It updates the existing PR with the tests, I believe. They'd still get reviewed and go through CI.

Right, the downside being that the app needs write access to your repository.

Writing to PR branches should really be some new kind of permission.