I'm saying private keys are not more secure by default. If your development machine is compromised (which is really easy to do, BTW) they'll steal your keys and probably will have root on your servers and access to your github accounts.
As an attacker, maybe true depending on your target. As a user I have had my passwords compromised many times. My SSH keys never have and I don’t know of any prominent evidence this happens much at all. I have been doing reversing, netsec, and appsec for 15 years now, so my memory goes back a ways. Plus, for example, my main system a Linux desktop. You can and should password protect your SSH keys, which further eliminates a number of key compromise scenarios.
Stealing passwords is much harder in comparison.