Yes, but it isn't limited to non-verified emails, you can do it with verified emails as well. I assume it's already used to obscure deliberate security compromises in forks etc.
There are many practical impersonation vectors. I assume Github is gonna have to require signed commits for profile links in the medium term future.
There are many practical impersonation vectors. I assume Github is gonna have to require signed commits for profile links in the medium term future.