Someone that can wrap your sudo binary can wrap you git binary too. Once your OS is compromised all bets are off.

How would that help? Unless you happen to check the dotfiles git diff before running _anything_. I guess this could be put in prompt or some cron job to detect diffs but I bet absolutely nobody does this.