If you only ever keep your repository private AND it is not a fork of a public repo, then you are fine. Full stop.
If you ever fork the repo and make a “INTERNAL” private fork but move the main project public then anything you commit to the private fork will be discoverable through the public project.
Basically you should assume if you make a repo public then the repo and all of its forks will be public-- even if the forks are “private” the commit data can be found through the main repo.
It would be much more customer and developer friendly to allow linking a service portal instead of providing a phone number. I would go insane if a user called me directly every time one of my projects had a bug or some perceived (non)issue. No, that’s not how this works.