That is correct. Your account will only be responsible for sites in that account. The repo can be connected to several other Netlify sites on different Netlify accounts, and your account won’t be responsible for charges accumulated by them.
P.S. Sorry for replying to an old thread. I found the answers here a bit confusing
Disclaimer: Not a cyber security expert, take this advice at your own risk.
I had the same question… I don’t think you have to do anything to prevent that (follow at your own risk)
From what I can tell - your client cannot link to another repo.
Say you gave the Netlify App permission to read from Repo A, B, C & D. And your client’s site is linked to Repo A. Then, they still cannot link their site to Repos B, C or D.
This is because every time you want to link another repo, an authentication screen comes up (I tested this myself in incognito mode). If you aren’t logged into GitHub, you need to provide a password.
Obviously, do not log into your client’s machine or give them your GitHub password…
While Netlify can read multiple repos from your account, it appears that a site can only read the repo it is linked to.
As a safety measure, do not set the Netlify app read all repos. Only let it read relevant ones. Then, when you hand off a project, make sure you revoke the apps access to the relevant repo. This helps to protect you if someone finds a bug or exploit.
So… I think it’s safe keep all your repos on one GitHub and link to multiple client accounts. Take my advice at your own risk.