*if it was forked or is a fork of something public. Only commits made while public can be read.
I feel like I’m missing something
You should read the original research article, which has its own thread someone else linked below. Basically, people often delete a fork after testing the public repo by committing an API key, which can be read using the method mentioned, which GitHub claimed was an intentional design feature.