There's very little guarantee to where the GitHub-provided runners are executed. There's very little guarantee as to what the auto-updating self-hosted runner binary does. There's very little guarantee as to what the GitHub-provided containers and actions contain.
It is also unsupported - and exceptionally hard - to execute runners without GitHub being available, or to migrate off of the proprietary action descriptor format.
Running GitHub enterprise locally may releive some of these issues, but using GitHub.com with GitHub actions is somewhat of a security and reliability nightmare, unless you trust Microsoft's GutHub with infinite visdom and 100% uptime.
The same thing could be said of any build system unless you run it yourself and invest a lot of effort in locking it down. Then you have to worry a out what is running in your build system... at some point, this all becomes paranoia.
It is also unsupported - and exceptionally hard - to execute runners without GitHub being available, or to migrate off of the proprietary action descriptor format.
Running GitHub enterprise locally may releive some of these issues, but using GitHub.com with GitHub actions is somewhat of a security and reliability nightmare, unless you trust Microsoft's GutHub with infinite visdom and 100% uptime.