You can probably catch a big pie of those with simple heuristics to flag suspicious repos for expensive review (human- or AI-based). I did that with public account & repo data, and I believe they can do much more given the amount of private data they have access to.

I'm talking about 10s of repos flagged in a few hours. I don't think the volume would be that big for an expensive review.