> Would you use them to version sensitive data?
If you are using a self-hosted version of Github or preferably GitLab then yes. However, If you're on GitHub or GitLab's cloud version then it's not secure and you have zero control, even if its private.
> Would Gitlab/Github have access to the underlying content/history?
Who knows. But the first answer tells you that you will have more control in a self-hosted environment over a cloud based version and I wouldn't risk putting sensitive data there unless I have complete control with a self-hosted open-source version (GitLab).
> ...though how about medical/income/taxation documents or information?
Well that's very sensitive data equivalent to bank-level information, which can be used as a reason for others to determine your job, insurance or loan choices. Thus, should be treated as sensitive too.
You're right on the sensitivity of such data... better to go with a self-hosted gitlab.
But if you fail to update it, you leave unpatched security holes. In practice, using a cloud version could be better.
Where would this self-hosted gitlab be hosted?
Exactly. Just wait until a GitHub bug or a PEBKAC causes your private GitHub (cloud based) repo to go public and leak sensitive information (a la AWS’ buckets)