There are lots of good reasons to have your server's codebase be an actual git checkout. But there's one potential flaw: your entire repository's history ends up in your webroot inside a .git folder.
You can block access to it in your .htaccess, but that's hacking core (until this patch lands at least).
There is however an alternative method that lets you keep the entirety of git's working folder outside the webroot completely.
Here's how to convert an existing repository to this format: