In my team, I added several user groups with NO access to team repositories. I overwrite it per repository by giving READ access to specific user groups. A user from one of these user groups can then fork the private repository (except if I didn't allow it from the repository details page). The fork is private like I specified it in the repository details page. Nevertheless, the user can manage access to his/her fork and give access (by mistake) to any group of the team in which he/she is and thus give access to someone who doesn't have access to the main repository. Even worse, he/she can give access (by mistake) to anyone who is not a member of the team.
It's not good at all since he/she will be able to see all the old commits and files of the main repository which are present in the fork.
Please, the owner of a fork of a private repository MUST NOT manage access to his/her fork. Otherwise, I wil have to disable forking for the members of my team and I will have to create forks for them with the team as owner. It doesn't sound like the way to do it.