Check for external CI/CD configs pointing to projects with less restrictive access than the origin project
It's possible to have an external CI/CD config https://docs.gitlab.com/ee/ci/pipelines/settings.html#specify-a-custom-cicd-configuration-file
It would be nice to have visibility into what projects use this feature, but a private project using an external CI config from a public project should probably require an investigation.