Looking at the code, you have to check out the source and then run another script to check out the source from Google's private source control system/depot.
Why it isn't just in a public repo, I don't know. It looks like it is set up so they can pull it at a moment's notice.
This is just silly. You can't say that you can pull the code from a public repository, and then claim it's private. If it's set up so you can pull the code, and you do so successfully, then it's by definition public. It's totally understandable that you're unfamiliar with how the the projects and dependencies are distributed. The Chromium projects are one of the largest and most complex codebases you're likely to encounter. However, it's all clearly documented and public, with numerous open source contributors. So, it's very disturbing that your first thought is not try and learn why, but rather to insinuate some irrational conspiracy theory.
Everything is in public svn and/or git repositories. The thing that's confusing you is probably how modules are split out as dependencies. They're not checked directly into the tree, and instead are listed by repository URL and pinned revision in DEPS files. On checkout and sync gclient pulls the correct revision from the appropriate repository: http://dev.chromium.org/developers/how-tos/depottools#TOC-DE...
Why it isn't just in a public repo, I don't know. It looks like it is set up so they can pull it at a moment's notice.
I agree with your comments.