It's the exact reason that GitHub moved to github.io for GitHub Pages hosting. At first there were a few individual users still grandfathered in to be allowed to use <username>.github.com for their GitHub Pages, but I don't remember who they were and I don't know if that still works for them this many years later.
The real reason is avoiding user-generated content from stealing authentication cookies. If worldmaker.github.com can run a little bit of javascript to add @worldmaker as admin to all the user's repositories on github.com, well, that's a problem.
Both reasons are true. Also, relatedly, "stealing perceived authenticity": if a user sets up "help.github.com" or "about.github.com" or "wwww.github.com" and then runs a scam from it, it looks like GitHub is running the scam.
