It can be used to break out from restricted environments by running non-interactive system commands.
git blame supports the (undocumented) option --output, but if no other positional
parameters are present, the destination file can only be created or truncated.
If the Git repository is controlled, planting a bare repository at the top-level
with a malicious configuration (e.g. core.fsmonitor), truncating .git/config
and then running another Git command is enough to gain code execution.
git blame '--output=.git/config'
git status