That's the conventional thinking, but it has been proven false by this xz incidence. The maintainer of xz did not inject any malicious code into the git repo, but only in the tarball, exactly because the latter is subject to far fewer eyes and he took far less risks polluting only the tarball.
The project was already compromised, the Git repository isn't any more trustworthy than the tarball.
And if there is any relevant lesson from the xz case isn't to trust Git more than tarballs but - as someone else mentioned already - tarballs should be fully reproducible from Git.
> The project was already compromised, the Git repository isn't any more trustworthy than the tarball.
You are talking about this from hindsight. For other projects, we do not know yet if anything similar is happening. So for them the Git repo is definitely more trustworthy.
> tarballs should be fully reproducible from Git.
That's exactly the same as trusting Git repo more than the tarball.