From https://index.golang.org:
If I don't set GOPRIVATE
and request a private module from these services, what leaks?
The proxy and checksum database protocols only send module paths and versions to the remote server. If you request a private module, the mirror will try to download it just as any Go user would and fail in the same way. Information about failed requests isn't published anywhere. The only trace of the request will be in internal logs, which are governed by the privacy policy.
With GOPRIVATE
working as described at https://golang.org/cmd/go/#hdr-Module_configuration_for_non_public_modules
The GOPRIVATE environment variable controls which modules the go command considers to be private (not available publicly) and should therefore not use the proxy or checksum database. The variable is a comma-separated list of glob patterns (in the syntax of Go's path.Match) of module path prefixes. For example,
GOPRIVATE=*.corp.example.com,rsc.io/private
causes the go command to treat as private any module with a path prefix matching either pattern, including git.corp.example.com/xyzzy, rsc.io/private, and rsc.io/private/quux.
To sum it up: if it is a private module, the proxy services tries to access it and will fail. I assume Go then will fall back to access it directly, circumventing the proxy altogether. To prevent this roundtrip, add your private repositories to GOPRIVATE and if you still are concerned about it, use something like wireshark to make double sure that your private modules are accessed directly.