Well, it works to every repository the user who is doing the spoofing has access to, private or public. If the user has access to your private repository via the GitHub ACL, they'll be able to create a PR to it with their spoofed profile.
But yes, if you have a private repository only you and dependabot has access to, no user would be able to perform this spoof against your repository.
This is probably the intended behavior of github, but correctly maintaining that invariant is exactly the sort of functionality middle management and project managers tend to deprioritize.
“How could they get the repo uuid without access, and even if they had it, the worst they could do is create an issue or PR that they can’t even read.”
But yes, if you have a private repository only you and dependabot has access to, no user would be able to perform this spoof against your repository.