The dbus maintainers can open confidential merge requests by using a
private git repository, but other contributors (including most security
researchers) cannot, so the safest simple recommendation is no merge
requests.

Signed-off-by: Simon McVittie <smcv@collabora.com>