It is dangerous to speak in absolutes. You have increasing confidence in your rights to use material the more you review it, or the more someone else whom you trust reviews it. But you never have certainty. Anyone who says they do is a fool. It is not about absolutes. It is about risk management.
Since the SGA is provided by someone asserting that they are providing a certain set of rights, then the risk of hosting the code is very low. Similarly, Lwn.net can host your comments, and mine, without first checking for copyright infringement, because as part of your account setup you asserted that you would not post infringing material.
With unreleased code, your confidence must be based on your own review. That doesn't make it unknowable. It just means that it is your responsibility.
For released code, Apache projects do extensive review, and you can choose to accept (or not) that due diligence as sufficient for your needs. We do this transparently on our mailing lists and we have a reputation for getting it right. That is part of the value we add.