In Github's case, I think it was also because a lot of security boundaries were using TLD which led x.github.com potentially grab cookies of y.github.com or worse, github.com itslef
Don't forget the `githubusercontent.com` domain, which is specifically used to host risky, user-generated content, and fully documented in https://docs.github.com/en/authentication/keeping-your-accou... (using an open source component that other companies could also use, if they were interested in similar levels of security)
In Github's case, I think it was also because a lot of security boundaries were using TLD which led x.github.com potentially grab cookies of y.github.com or worse, github.com itslef
https://news.ycombinator.com/item?id=5500612
Don't forget the `githubusercontent.com` domain, which is specifically used to host risky, user-generated content, and fully documented in https://docs.github.com/en/authentication/keeping-your-accou... (using an open source component that other companies could also use, if they were interested in similar levels of security)