It's a social convention, not an enforced rule - if one sees a github link, the expectation it's an open source project, or at least source-available. Having closed source project hosted there breaks this expectation.
If you're working in a private repo for your closed source company or whatever then fine. Maybe also you pay GitHub for that.
If the repo is public, it's highly suspicious that you're serving malware. Even if not, it doesn't match a sensible git workflow. You wouldn't run a private repo with a README and no source code with some binary links. That's not a sensible way to do any project, open or not.
If the repo is public, it's highly suspicious that you're serving malware. Even if not, it doesn't match a sensible git workflow. You wouldn't run a private repo with a README and no source code with some binary links. That's not a sensible way to do any project, open or not.