This is very true and a risk with any cloud service. Ie if you make a app and want redundancy, the code is exposed not only by your own security defects, former employees etc, and each cloud provider you host on such as AWS, GCP, Azure, DigitalOcean etc. I think in practice the largest mitigation is the legal system, as its safe to assume your code already exists places you don't want it to.
Another kid, got access to every single private github repo.
It was on hackernews, he declared it, made a write up about it and got given a pretty small bounty from github. Google it, otherwise I guess the net was scrubbed of it. I follow him on twitter but yeah just google more and you should find out all about it.
I was always surprised it wasn't a much bigger deal.
Basically since then I think any company ( most that I work for ) are clinically insane to upload their proprietary code to the site.
On a related note - was it not just a couple of weeks ago people were concerned the codespaces system is using other peoples proprietary code? ( I havent kept up to that on that one so not sure if its still an issue)
Now githubs code is going to be developed on an online platform, which works by sharing code others have uploaded.
I have a feeling that this is not a good recipe.