I agree; you can easily have an authenticating proxy. Like I said, I'm guessing that they decided it was a static page on a public CDN first, so now it's hard to add an authenticating proxy on each CDN node. If they wanted auth from the start, then it wouldn't be a static page sitting on a CDN node, and it would be easy to add. (But harder to scale to a CDN, and thus we'd see a lot of Github Pages sites slashdotted or whatever.)
I could easily be completely wrong about this. But it's interesting, to me, to consider the order that features were requested, and how that affects future feature requests. Sometimes you paint yourself in a corner and make easy things hard. Something to think about as you plan your own software!
If you ask me, any page whose behavior depends on the currently logged-in user's identity, including the list of groups they're a member of, is not "static" in any meaningful sense.
Most people use "static" to mean that there is only one version of a response body. I guess denying access is technically a second version of the response body, but that's kind of a stretch because the layer where the body lives (ok, the two bodies: one for 200 and one for 403) doesn't need to be capable of business logic (like conditionals, db queries, etc.) during the request/response cycle. It uses them in perpetuity without tailoring them to the session.
I could easily be completely wrong about this. But it's interesting, to me, to consider the order that features were requested, and how that affects future feature requests. Sometimes you paint yourself in a corner and make easy things hard. Something to think about as you plan your own software!