Even among engineers, most people don't think like a security engineer.

I'm sure there are plenty of people who have access to their company's private repos through their personal GitHub accounts.

At every company I've worked for, past 12+ years, this has been the rule, not the exception. They invite your personal github to corporate repos.

I have read a couple of horror stories where it then becomes impossible to separate the account once you leave the employer.

No thanks. New account per job.

If the organization has public repositories, and the ex-employee has issues/PRs in those repositories, then I think they will continue to get notifications about followups to those issues.

Involvement with private repositories is removed as soon as the organization removes the employee, or the employee removes themselves.

I think the horror stories could only happen if the individual's account has been used for generating many API keys or similar, but there are other reasons not to rely on that sort of thing.

Sounds like a misunderstanding. They just remove you from the org. (And if they don't, it's not your problem.)

No. They have control over your membership in their org and which of their repos you can access, not your repos. Note that a GitHub account can be members of multiple orgs.

So?

My Github profile is part of my CV: it shows the projects I've worked on, and those organizations to which I have commit access. Some of those projects are likely to continue even if I change jobs.

I think this is fairly common for people who work on open source projects.

On the other hand, I’ve known engineers who were harassed on their GitHub accounts because they stopped working on a project when the company transferred them internally. Some people take you no longer corresponding on a GitHub issue extremely personally. Being able to abandon an “work identity” and move on is useful.