I suspect this is relying more on a "birthday paradox" approach. The goal wouldn't be to invalidate a particular secret, but rather that with a relatively small number of randomly generated secrets, you would be taking advantage of this setup to invalidate at least some.
Trying to use millions of generated tokens is not really feasible.
Most services will throttle or block you quickly. Also often you would need to know the permissions the token has to get any access.
Writing millions of generated tokens to a text file and pushing them to Github is easy.
There is obviously no meaningful benefit to doing this, except potentially breaking some random deployments until they can replace the keys.