LibGit2 (unlike CLI git) does not seem to validate the contents of the packfile when fetching.

This could be a problem when fetching from a possibly compromised source, e.g. create a "bad" repository using this script.

Attempting to clone this using CLI git throws an error:

fatal: did not receive expected object 12799ccbe7ce445b11b7bd4833bcc2c2ce1b48b7
fatal: index-pack failed

However LibGit2 happily fetches the repository.

While LibGit2 will throw an error if you attempt to use the invalid object, CLI git may not (e.g. it will certainly happily checkout invalid loose objects, though maybe not packed files)

Essentially, the problem is that the "security barrier" is in different places for the different programs, so attempting to use both on the same repository may present potential security hole.