GitHub pages are served with Access-Control-Allow-Origin: *, so the SOP doesn’t apply.

They also don’t set a CSP header, which opens up the opportunity to exfiltrate data by other means, e.g having the browser load an image on your.site/$password.jpg.