We just rolled out a security fix that puts all wikis under the @wiki.github.com@ subdomain. This means they can execute arbitrary JavaScript (like scriptaculous does, or maybe the Lighthouse Badge) without getting access to your cookies.

Private wikis do not allow JavaScript for similar security reasons.