Building on what has been said, reading commit logs is everything however there are ways to trick the end user and having them download files that are not obvious to them.
One way is to add files to the git object database directly instead of the repo (so using git hash-object command instead of the normal git add). That way they don't appear when you type a list command, so it won't be obvious that they are pulled down.
$ echo 'version 1'> test.txt$ git hash-object -w test.txt83baae61804e65cc73a7201a7252750c76066a30Your database contains the new content:
$ find .git/objects -type f.git/objects/83/baae61804e65cc73a7201a7252750c76066a30I have seen projects use this method to hide secrets and credentials which is not secure and is simply security by obscurity.
