"How is this a Github vulnerability? The researchers are the ones that grant the agent access to private repos and then ask it to answer questions in public repos.. of course this allows extracting private information?"
I think the assumption is that the permissions are scoped to the repository you're currently asking questions on, rather than your private repositories as well.
I can see arguments for both sides.
But they explicitly setup the permissions this way.