If GitHub really has reason to suspect that op's account is hijacked, they should be able to figure out at least one of op's email address (simply by the fact that email address is attached to the account long before the hijacking happened), and send some communications there? Or provide an official process of "we suspended your account because we have reason to suspect that your account is hijacked. we won't response to your emails either, this is how to contact us to have your account reinstated"?
Also op said they do have 2fa, which makes this excuse even poorer.
A malicious party could have access to OP's other accounts, maybe OP reuses passwords. It's in the realm of plausibility that they are being cautious not to alert the attacker. If they/authorities want to use the opportunity to observe and collect evidence then I think these actions on GitHub's part are somewhat reasonable, albeit kind of shitty.
Also op said they do have 2fa, which makes this excuse even poorer.