I don't know but I guess the smaller fish are protected by virtue of them not being worth the automation effort. A bad actor can spend a lot of time and effort attacking Github and have their efforts exposed to so many more developers than the same sort of effort on, say, Codeberg would achieve.
And you'd be shooting yourself in the foot anyway. At "codeberg scale" it's possible to entirely take over the platform with spam and malicious repos, at which point codeberg will implement drastic limits to prevent this like manual account verification or some such, which will stop it. It would be an enormous waste of time for everyone.
