It would be much more customer and developer friendly to allow linking a service portal instead of providing a phone number. I would go insane if a user called me directly every time one of my projects had a bug or some perceived (non)issue. No, that’s not how this works.

If you only ever keep your repository private AND it is not a fork of a public repo, then you are fine. Full stop.

If you ever fork the repo and make a “INTERNAL” private fork but move the main project public then anything you commit to the private fork will be discoverable through the public project.

Basically you should assume if you make a repo public then the repo and all of its forks will be public-- even if the forks are “private” the commit data can be found through the main repo.

The original report: https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github