Doesnt this still make it potentially available in case some malicious/unmalicious coder leaves some console debugging out?

Only if you merge it in. The point is the secure environment variables are not available at all in the fork build. The bash oneliner they show is to help you run scripts which won't crash if they don't have those env vars available, not to "hide them" by running a test script which doesn't use them.

I know many instances where code reviews didnt catch log statement in huge binaries.

Right, but now you're in the "review of a PR didn't catch malicious code" boat. At which point, you've got bigger problems than leaking env vars in your CI.

Not to dismiss it---it's just a different point.