Private repos can be turned public, intentionally or by mistake. Repos can be exported to give software to third parties. Also, git users clone repos, which means that those secrets are copied every where. Can you make sure those stay private too? Do you make your developers encrypt their laptops or delete repos from them before they leave their house or office?
Also, it's possible that when you have a secret in a private repo, it accidentally leaks when you deploy that repo to a public server. And it's easier to do this than you'd think, e.g. by a mix of a few unrelated changes by different developers.
Also, when an attacker gets access to one private repo by some means, you don't want him to pwn your whole organization.
