Is it? How else do you selectively grant access to a repo? Orgs are the normal way, it's just not normal to have a project which is proprietary and somewhat private but available to 400k people.

Github just needs to rethink how tagging all users works and a way to prevent this.

An org and the team was opened to join in March 2015 4 months before the "secret" team functionality was added. No one cared for 7 years!

Yeah, seems like a silly way to grant access

Seeing how there's no other way, well...