One key questions is who has the administrative access. That or those person can always read your data, and potentially leak this out to third parties knowingly or not knowingly or just read it for their own entertainment or education. This is not only a problem for hosted services, this is also a problem if your store your data within your own company. But at least you know the person. For small companies the administrative password might be in the hands of the business owner.
The main point is that the public code hosting companies are such a huge target. There is a lot to gain from hacking such a large code repository. This is a very interesting target for government agencies, so big that they just get an insider into the hosting company who just takes a USB stick with all the data on his way home. This might be as easy as just applying for an admin job there and even get paid with all benefits. I don't think we will ever see any news about this, simply because there are no traces to be expected, unless someone wants to brag about it. Hosting companies as far as I know don't require security clearances anything like government agencies do. And the fact that this all will be in stealth mode puts very little pressure on a hosting company to actually do anything about it.
