When you perform a push on GitHub, the data is pushed into the repository for you fork. Then, if there are multiple forks, those objects are moved into an alternate that is shared by all repositories in that network, forks included. This saves a lot of space when there are many forks, and it makes pull requests much easier, since the objects are already present in the main repository.
However, it means practically that all objects in all forks in the network are visible through any fork. As a result, if your fork were private, then someone who knew an object ID could view it through the main repository and see that data. This would be a security problem, so GitHub doesn’t allow it.