They don't. The comment was on labelling. There is nothing in the presentation of unsigned commits to indicate that they are unsigned. The presentation is indistinguishable from that of a hypothetical GitHub that never shows commit signatures, you need to have seen a signed commit on GitHub at some point to know that the absence of that Verified note is significant.

Correct. Which is also how git works. And there is a very good, very simple, reason for why both work this way: very few users sign their commits, even fewer want to/care about signing their commits, and even fewer verify those signatures.

So few people sign their commits that the default is to assume commits are from where they say they are, even if they're not verified.

Please let me know when you figure out what GitHub could reasonably do to make enough people sign their commits to change that default.

That's absolutely their fault from a product perspective.

How do you figure? I don't consider "making the product which users want" to be a bad thing.

That’s the opposite, labeling signed commits.