I just explained it - if it returned a different code than 404, you could automatically generate a list of private repositories for an organization by just probing all possible URLs. While not a real risk in the classical sense, it’s still private information. Everyone knows Epic has an UnrealEngine repo, but if Microsoft has a WindowsWithLinuxKernel repo, that’s probably not information they want to be public. Private means private.
Go to GitHub’s issue tracker to see other people say the same thing (one with the same Half-Life 3 example I jokingly gave above) : Private repositories should not return 404 · Issue #162 · dear-github/dear-github · GitHub
Can we go back to Linux discussions instead of feature requests for GitHub ?