It may be “private” but if it is on someone else’s servers, you don’t own it and you don’t have full control over it. While you trust the current company, that company may go out of business, change hands, or change business plans and start to harvest it sell your “private” repo.
That is the admittedly extreme but still accurate paranoid position. For me personally, it took less work to setup my own gogs docker image than it would have to figure out all the encryption options to protect my password and other sensitive information. So I’m not paranoid, I’m just lazy.