fix(worker): only include private repos in BB Cloud user-repo list

Matches the GitHub and GitLab branches of accountPermissionSyncer,
which both pass visibility='private' for the same reason: public repos
are gated by the read-side prisma filter via isPublic, so no
AccountToRepoPermission row is needed for them.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: msukkari

packages/backend/src/bitbucket.ts

@@ -657,7 +657,7 @@ export const getExplicitUserPermissionsForCloudRepo = async (
 };
 
 /**
- * Returns the UUIDs of all repositories accessible to the authenticated Bitbucket Cloud user.
+ * Returns the UUIDs of all private repositories accessible to the authenticated Bitbucket Cloud user.
  * Used for account-driven permission syncing.
  *
  * @see https://developer.atlassian.com/cloud/bitbucket/rest/api-group-workspaces/#api-user-workspaces-get
@@ -693,7 +693,7 @@ export const getReposForAuthenticatedBitbucketCloudUser = async (
                 const { data } = await client.apiClient.GET(path, {
                     params: {
                         path: { workspace },
-                        query: { role: 'member', ...query },
+                        query: { role: 'member', q: 'is_private=true', ...query },
                     },
                 });
                 return data;