Session fixation and CSRF vulnerabilities resulting from a browser security issue
sometimes referred to as “Related Domain Cookies”. Because Pages sites
may include custom JavaScript and were hosted on github.com subdomains,
it was possible to write (but not read) github.com domain cookies in
way that could allow an attacker to deny access to github.com and/or fixate
a user’s CSRF token.
Phishing attacks relying on the presence of the “github.com” domain to
create a false sense of trust in malicious websites. For instance, an
attacker could set up a Pages site at “account-security.github.com” and ask
that users input password, billing, or other sensitive information.
That doesn't really answer the "why" for me, it just raises more questions. I thought it was a branding thing?
when GitHub made that they change they explained it a bit better imho