In short: "My toolchain chose to do a thing that is insecure given your (publicly-known) approach to managing your usernames. Now I am exposed to a security vulnerability and it's your fault!"

No! This is the go ecosystem's fault! It was knowable that GitHub managed usernames this way and yet they still chose to introduce this security risk.