Edit: The above is true if known_hosts contains only the ECDSA / Ed25519 host key. But as mentioned elsewhere in this thread, newer OpenSSH versions automatically add alternate host keys (https://lwn.net/Articles/637156/), in which case the old RSA key would have been added to known_hosts even if only ECDSA / Ed25519 were used. In that case, the user will be vunlerable until the next time they ssh into (non-MITM) github.com, since that will update the RSA key in known_hosts.