if someone ever managed to breach all _private_ GitHub repos (I mean it's insanely difficult but not impossible) it would be one of the most catastrophic events in the security history, and if I were a state-level actor that's exactly the kind of target I'd prioritise rn. I was thinking about this scenario since this morning I wanted to push something (more or less sensitive) to a private repo but ended up rolling it back purely out of paranoia. I guess the right threat model for private repos is that it can be assumed to be leaked one day.