Perhaps, but using a separate hostname github.io vs github.com is also a security mechanism. Project owners can supply rich content (read: HTML + JavaScript) on these .io pages. If these pages were on GitHub.com or subdomains of GitHub.com, this user supplied content can interact with and hijack the github.com cookies like session ids.
Yes, GitHub can use the domain attribute on a cookie to prevent this, but then you have designed a system that will fail open if you mess up. (i.e. potentially malicious user content would always be able to access a cookie, unless GitHub does something).
Better to just stick it on a separate domain entirely, and this is a commonly used practice. For example, Google does this with their googleusercontent.com domain
In addition to that, putting user-supplied content on separate domains allows GitHub to list those domains in https://publicsuffix.org/, which they did:
// GitHub, Inc.
// Submitted by Ben Toews <…@github.com> 2014-02-06
github.io
githubusercontent.com
Apple/Google/Microsoft/Mozilla use this list to restrict cookies -- foo.github.io can't set a cookie for github.io, even though it normally would be permitted. This list is also used to highlight the address bar, so "foo" would be emphasized, rather than "foo.github".
Yes, GitHub can use the domain attribute on a cookie to prevent this, but then you have designed a system that will fail open if you mess up. (i.e. potentially malicious user content would always be able to access a cookie, unless GitHub does something).
Better to just stick it on a separate domain entirely, and this is a commonly used practice. For example, Google does this with their googleusercontent.com domain