There is also configuration related to which filesystem monitor to launch, triggered bygit status.

Nice catch, I think that should be covered bycore.fsmonitor=false. I also looked atreceive.procReceiveRefs,uploadpack.packObjectsHook, andremote.<name>.vcs but couldn't see how to disable them here.

I see, sections that are dependent on actual values are problematic.

I think there is alsoGIT_SSH_PROGRAM, and there are probably more.

Yes, thanks,GIT_SSH_COMMAND. I just went throughhttps://git-scm.com/book/en/v2/Git-Internals-Environment-Variables and picked out all the relevant ones.

I think without exhaustive tests and actually challenging the code we wouldn't want to make the flag seem like a perfect defence.
Somehow I feel thatas safe as possible should rather be a disclaimer about this being a best-effort basis and that the defence is probably not complete, while stating what it focusses on.

Agreed. This is what I have so far:

Lock down the configuration to make it as safe as possible when working with publicly accessible, untrusted repositories. This disables all known options that can run an external program and limits networking to the HTTP protocol via https:// URLs. This might not cover Git config options that were added since this was implemented, or options that might have unknown exploit vectors. It is a best effort defense rather than an exhaustive protection measure.

That sounds good! Maybe it makes sense to explicitly mention configuration keys with subsections, as these are particularly hard to pickup.

On the bright side, thinking about it, this would only be a problem if someone else controls the environment or the configuration. Maybe the latter is common for repositories on shared drives?