Why did an action running in the context of public repo even have access to the private repo? Looking at the workflow, it seems to use the github token which should not normally grant rights to a private repo.

Or was it the agent itself that somehow had elevated permissions? If that's the case, you've misconfigured the agent... we know that agents cannot be trusted to enforce anything.