Deduplicated objects from an internal repository are publicly accessible by name through a public project

In #33318 (closed) we made it possible to deduplicate internal projects. A consequence of this is that in the following scenario it is possible:

1. Fork public project Project A -> Project B, currently Both projects are public, the object pool is created
2. Change the visibility level on Project A to internal, the fork network is broken, but Project B remains part of the maintained object pool
3. Create a commit in Project A, and take note of the hash.
4. Trigger housekeeping on Project A, this will cause objects to be fetched into the object pool
5. In a clone of Project B as an Anonymous user, perform git fetch origin <commit sha>, this succeeds because it is available in the object pool

The refs aren't advertised, so users need to know the sha of objects to be able to fetch them through the public project.

Qeustion:

If we are okay with internal objects being publicly accessible in this way, could we allow deduplication for private projects?