Have you ever wondered, why your IDE asks you, if you “trust” the code you checked out via git?
While the risks of embedded bare repositories is well described (more details here), I suspect that it will stay exploitable for quite some time.
There is an opt-in mitigation in setting safe.bareRepository to explicit with git 2.38.0. Also a proof of concept is available.
Just don’t forget the even more obvious risk with .git/hooks/ - but they at least won’t trigger from “just” git clone and observing the repository status - if it wasn’t for the embedded bare repo.