It appears that packages that have their access changed from public to private remain listed on yarnpkg.
Looking through the code, as far as I can tell, there isn't a mechanism for detecting changes in access level, which would mean the private package will remain indexed indefinitely.

Unfortunately that might be on npm's side, we are listening to changes in the registry, and visibility change doesn't seem to trigger a change event.

I'd love to have this handled automatically, possibly there's another event we can listen to? Feel free to reach out if you want to contribute