Not criticizing you, your technical correction is valid, but the discussion is besides the point. "Encryption at rest" is basically meaningless for something like GitHub. Not being able to pull out a hard drive in a data center and read it at home has been table stakes for some time. But how few people are able to do that anyway? A blog post like the above is just necessary to tick some boxes to comply with this or that regulation.
The real question is how many services are able to access the data live and how many support and debug interfaces (indirectly) allow you to read it. Measure GitHub's success in securing the secrecy of private repos in how few employees can breach it without causing alarms. Even without cynicism I would be surprised if it was their main concern. Data integrity is far more important for code. (There are notable exceptions, of course. If applicable, don't put it in the cloud!)
The real question is how many services are able to access the data live and how many support and debug interfaces (indirectly) allow you to read it. Measure GitHub's success in securing the secrecy of private repos in how few employees can breach it without causing alarms. Even without cynicism I would be surprised if it was their main concern. Data integrity is far more important for code. (There are notable exceptions, of course. If applicable, don't put it in the cloud!)