Not my field, but security would clearly be a greater issue for repos held in a publicly accessible site vs those only accessible over a VPN.

Sure, dogfooding is good, but commercially sensitive repos would seemingly - to my naive view - be better on private servers?