The risks of embedded bare repositories in Git

Right, although that doesn't solve the issue that k3ninho mentions; running arbitrary unreviewed code (which developers do a lot) could update the list of trusted directories. You would need to use bubblewrap or another container solution to prevent random code from touching the list of trusted dirs.