Practically, if your dev machine was compromised by a targeted attacker, they could create commits using your identity and if they compromised another dev machine could approve those commits using their identity. Then the attack would only be visible in commit logs with low odds of discovery before release to prod.