Dave WardGitGuardian's Secrets Sprawl report found millions of new exposed secrets in public repos annually. Enterprise internal repos are arguably worse: "it's internal, so it's fine" ignores that one compromised dev workstation exposes every credential in source control.
Pipeline credentials typically have write access to production databases and cloud deployment permissions. That's privileged access by any definition, outside PAM governance.