Read-only makes it so a buyer can’t push to main or modify the repo configuration. So to stop someone from paying to “grief” it in the worst case, and just to stop buyers from making changes the owner didn’t sign off on in more typical cases. They can still raise issues and submit PRs, to my knowledge.
Yes it’s intended for private repos. As it stands you could add a public repo but there wouldn’t be much point unless you’re using it as a way to accept donations, though I think GitHub Sponsors is more apt for that. Typically when you add someone to a private repo, they get full write access.
