Unless you've explicitly limited it, anyone who can read your repository can review a pull request or comment on a commit.
After a pull request is opened, anyone with read access can review and comment on the changes it proposes
...
By default, in public repositories, any user can submit reviews that approve or request changes to a pull request. Organization owners and repository admins can limit who is able to give approving pull request reviews or request changes.