We did so much work in open source it was just easier to assume everything was always publicly viewable, or that what you were doing now might be open sourced in the future along with the full commit history. Whether something was private or public was more a business decision around competitive risks and not a security-led one. To that end I'm far more concerned about a database and passwords getting popped.

But who knows, a lot can change in 10 years. Maybe private repos being exposed is also very bad.