I did a bit of research (landed here: https://marc.info/?l=git&m=115678778717621&w=2). It's not that

> we don’t care about people sneaking things into our git repositories

But rather that in the event of a collision, git would not sneak the attacker's malicious code into your repo. The best such an attacker can expect to achieve is to create confusion. In a project-maintainer scenario, that probably just means rejecting the PR--hardly an outcome that would justify spending the money on the hash collision in the first place.

In a we're-voting-on-whether-or-not-to-change-the-law scenario, confusion about the outcome of the vote could have dire enough consequences that an adversary might indeed care enough to bother with the calculation.

That's not to say that this is the only way in which git would be a bad choice, it's just the first that came to mind.