Someone that can wrap your sudo binary can wrap you git binary too. Once your OS is compromised all bets are off.