A command line timing attack I just tried seems to be able to distinguish between the two. It seems that, as a logged-in user, the real repo takes around 5% longer to respond than a fake one. But this might not be robust - I just used time + loop in bash. Perhaps someone wants to setup a list of nonpublic+fake repos and see if there's consistent difference.
