A feature of civilian security is that "It was restored from Git" is doesn't immediately spark a concern that Git could be compromised.
I'm not saying that it is, but compromising Git is certainly the sort of thing which would occur to a state sponsored espionage agency. And if one were seeking to compromise the Linux toolchain, it would certainly be a very attractive link. So attractive that not including it in a multi-vector attack might be considered grossly unprofessional.
Version control systems are a bad target. They are too simple, too deterministic, and too networked. You can steal their data, but if you insert something, you will get caught.
Yeah, there are exceptions, all of them proprietrary. There is no reason to trust GIT less just because some companies can make even version control hard.
Even assuming that Git is unassailable with a billion dollar budget:
How long has the Linux kernel been under development?
How long has it been version controlled using Git?
How long has it been a potential target of state sponsored espionage agencies?
The potential adversaries have been taking cryptography and security seriously since long before the Linux community. They have larger budgets and significant expertise backed by patriotism and economic rewards.
Compared to pulling a nuclear submarine wreck from the depths of the Pacific, Git might not appear so difficult.
I'm not saying that it is, but compromising Git is certainly the sort of thing which would occur to a state sponsored espionage agency. And if one were seeking to compromise the Linux toolchain, it would certainly be a very attractive link. So attractive that not including it in a multi-vector attack might be considered grossly unprofessional.