> Clearer guidelines that even if users got bad copies of data with malicious commits, that the malicious commits would not execute.

Eh, that sees unwise. To suggest based on what you think you are "sure" about security protections, that users should not worry about having a copy with malicious code.