Giving a 401 indicates that there might be a resource, though, which can also be harmful.
It is fairly common to return a 404 to unauthorized users (or users with not enough permission) so you don't give away meta information. Granted, for the public search, it should return an appropriate error code but they should not do that for private repositories. Thus it think it is fair to assume that they have a policy: if user/guest does not have sufficient permission, always return an error 404.
That makes sense for endpoints like /admin, but it's more confusing than it's worth for users when the endpoint is otherwise rather public. Well, just see this comment thread.
As an example, in this case with the /issues page, redirecting to `/login?redirect-to=/issues` would be more user-friendly since it signals that the page exists but you must authenticate.
I assume to prevent exposing the names of private repositories, correct? For the main(global) search page it would seem reasonable easy to just omit that from the search results.