It’s a GitHub App, so just install and forget about it — nothing else is required on your part.
The only prerequisite is that you actually use Registrator rather than manually creating registry PRs.
The app unfortunately requires repository write access, but there aren’t more granular permissions that can be granted for just releases.
If you’re concerned, please view the source code which is available here.
The only interaction with your repository is the release creation, which is handled by Google’s GitHub API library.
Edit: TagBot will not change your usage of Registrator at all, it only completes the previously manual task of creating GitHub releases for you (see this comment).