I have my email address public on my profile so that people can email me, but I’ve had it happen a few times where I get spam emails in my personal email account from automated programs set up by people to send unsolicited advertising for their projects. It usually takes the form of “Hi Matt, I notice you starred repo. I’m making the project project which you might be interested in, so I thought I’d email you and tell you about it…”. To clarify, these emails aren’t from the creators/maintainers of the projects starred, they’re from people creating something entirely separate who claim that the starred project is similar to theirs. It’s just a hook to try to justify the spam email.
I replied to one today asking where he got my email and he revealed it was because I have it on my public GitHub profile. I tried to change my email on my profile to a “something @ something dot something” form which might protect from bots a bit but it’s a drop down of actual email addresses, not a free form text field. I think a captcha would work best to protect against this kind of spam. Someone could click on it, prove they aren’t a bot, and then get access to the email address to email users.