Ironically, Homebrew uses git to update its package metadata, but presumably you already trust Homebrew to not deliver malicious software (I also don't know if "pull" is vulnerable, or just "clone" and "checkout". Also Homebrew is hosted on Github, which now scans/blocks malicious repos)