I think it was when you create a merge request back, that the original repo would then run the forked branch on the original runners.

From what I can tell, its now been much more locked down, so its better, but still worth being careful about.

More discussion: reddit.com/…/forks_and_selfhosted_action_runners/

The other potential risk is that the github action author maliciously modifies their code in a later version, but that is solved with version pinning the actions.