The risks of embedded bare repositories in Git

I guess my concern is that a user might have a setup like this:

1. The user regularly clones untrusted Git repositories, for whatever reason.
2. If a repository containes a .git directory (actually checked in, not in the root of the repo), then the user (or some software acting on behalf of the user) will avoid cloning that repo, because they don't want to deal with the possibility of corrupt/malicious sub-repositories.
3. Bare repositories don't contain a .git directory, so this doesn't work.