Git has a couple config variables around repositories that aren't owned by the current user. This speaks to a threat model that we should consider.

By default, Git will refuse to even parse a Git config of a repository owned by someone else, let alone run its hooks, and this config setting allows users to specify exceptions

The main question is, should we mirror/adopt this behaviour?

Update

While we might not run githooks, we might still run into the same security consideration as in the CVE linked below. Ergo, this is a prudent feature to add as a security measure