SVGs are also images that can contain scripts if not validated.

It's also relevant that github.io is on the public suffic list, which impacts a bunch of downstream things and isolates the subdomains from each other.

> if not validated

I thought script tags were an official part of SVG? Meaning that a valid SVG can contain embedded JS.