Manufacturing a SHA1 collision is certainly doable. Doing it in a way that allows you to modify an individual commit in a git tree while also not breaking git's internal consistency with respect to history is an attack I've not seen done yet.
And of course you can sign tags with GPG for extra confidence.
As far as bandwidth and diskspace is concerned it would be worth doing some tests before ruling it out as less efficient than rsync. The over the air update protocol is fairly efficient and the .git directory is often smaller than the checked out tree as it's fairly heavily compressed. Plus of course as a developer it's really useful to have the whole history of an ebuild available to you when diagnosing issues or trying to understand why something was done.