Ultimately gitlab has a duty of care to the customers whose code they host. If most of your customers are in the West, and there are persistent security and IP threats from certain national governments, I don't see an alternative here.
There is a lot more nuance than that, and the danger is more about well placed nationals who can be recruited than government trained spies.
This is what risk assesnments are for. The consequence of every piece of gitlab hosted code, much of it which runs on publically visible servers, falling into adveserial hands is catastrophic. A government may well make an offer too good to refuse.
On the otherhand, there are pleanty of other software jobs out there which pose minimal risk, and many companies demonstrably are more than willing to hire Russians or outsource to Russia.
I have to disagree with the idea that it's not a solution, governments refuse to hire foreign nationals all the time and even regulate the private sector through things like ITAR.
Now I agree it's an unfortunate solution in some respects. There are moral issues both utilitarian (1000 Einsteins) and idealistic (all humans are equal). There are also work arounds. For most purposes if you naturalize and renounce your previous citizenship you will legally be treated as a national. ITAR only requires a green card.
Arguing against discrimination in a security context though, when nationality is indeed a reliable discriminant, is difficult.
The threats you’ve mentioned usually come from Western governments. China is often accused, but attacks by US have actually been proven - numerous times. Same with backdoors.
