Webhooks and services is a single permission. The build service cannot request just webhooks without services. The reason it is required is the build service requires GitHub to send a webhook ping when the main branch of your configured repository is updated. This cannot be set up without the permission requested above.
I believe github restricts the permissions to per-organisation (your personal namespace counts as an organisation in this sense) so you can only restrict t he permission grant to a group of repositories under a https://github.com/organisation-name/* equivalent namespace.
I just created a separate organization account, but the auth dialog still says that build-snapcraft-io wants to access my personal GitHub account (there is an option to also give access to an organization).
Actually, GitHub provides an intuitive interface for adding webhooks to a selected repository.
However, I don’t know what specific payload should be sent to Snapcraft. I also can’t access the repository selection page on snapcraft.io web portal without first giving the excessive GitHub permissions.
I did some further research, it turns out Snapcraft requests access to the personal GitHub account, access to the resources owned by organizations associated with the personal account is restricted by default. Still, it would be safer to just let developers setup the webhook manually on a per-repo basis.