git fsck makes it much harder to attack a git repo, but it seems that the normal git workflow does not enable it by default. In #FDroid it is enabled for all fetches in our config:
https://f-droid.org/docs/FAQ_-_App_Developers/#how-can-i-handle-fsck-error-in-packed-object-for-my-app

But I still can't find a clear answer about what checks #Git does by default. Anyone know?