Whenever I see private API keys in a private git repo, I tell them of a time when someone forked the repo to work on it but made the fork public and got our email account locked down. And I will also now send them this:
https://trufflesecurity.com/blog/anyone-can-access-deleted-and-private-repo-data-github
More generally: Never use private forks.