> The project was already compromised, the Git repository isn't any more trustworthy than the tarball.

You are talking about this from hindsight. For other projects, we do not know yet if anything similar is happening. So for them the Git repo is definitely more trustworthy.

> tarballs should be fully reproducible from Git.

That's exactly the same as trusting Git repo more than the tarball.