Large language models for code (LLM4Code) trained on open-source repositories containing personally identifiable information (PII) pose significant privacy leakage risks; however, prior work overlooks the heterogeneity across PII types. Method: We propose the first type-aware structural causal model to quantify the causal relationship between PII learnability and leakage risk from a training dynamics perspective. Leveraging a multi-type PII dataset, fine-tuning across model scales, and empirical analysis of real training trajectories, we systematically measure how PII types—including IP addresses, cryptographic keys, and fuzzy identifiers—differ in learnability and leakage propensity. Results: We find that easily learnable PII (e.g., IPs) exhibits significantly higher leakage frequency, while hard-to-learn types (e.g., keys) leak less frequently; fuzzy identifiers show divergent behavior. Based on these findings, we introduce a learnability-aware defense framework, providing both theoretical grounding and practical guidance for fine-grained privacy risk assessment and mitigation in LLM4Code.

Large language models for code (LLM4Code) have greatly improved developer productivity but also raise privacy concerns due to their reliance on open-source repositories containing abundant personally identifiable information (PII). Prior work shows that commercial models can reproduce sensitive PII, yet existing studies largely treat PII as a single category and overlook the heterogeneous risks among different types. We investigate whether distinct PII types vary in their likelihood of being learned and leaked by LLM4Code, and whether this relationship is causal. Our methodology includes building a dataset with diverse PII types, fine-tuning representative models of different scales, computing training dynamics on real PII data, and formulating a structural causal model to estimate the causal effect of learnability on leakage. Results show that leakage risks differ substantially across PII types and correlate with their training dynamics: easy-to-learn instances such as IP addresses exhibit higher leakage, while harder types such as keys and passwords leak less frequently. Ambiguous types show mixed behaviors. This work provides the first causal evidence that leakage risks are type-dependent and offers guidance for developing type-aware and learnability-aware defenses for LLM4Code.