Only signing releases is equivalent to saying "every bit of code I just released I trust and so should you". This means that you have to have reviewed every change to make sure someone didn't dupe you into signing a commit you didn't mean to.
Signing every commit is a much easier guarantee to make: "this change was made by me and I trust this change". In aggregate it's much better than just having signed releases (though of course you should sign releases in addition to this).
Tangentially on topic, when did keybase get that terrible logo? It looks like it'd be the mascot for an off-brand bag of potato chips.