I was about to say "if private repo contributions count toward the code streaks, then someone could write a commit-bot to artificially inflate their code streak completely undetected."

But the code streak is being removed too, which conveniently makes this potential loophole a nonissue! (However, it wouldn't surprise me if commit bots are used regardless to give an impression of coding-every-day on the graph.)