I think that the very same people who never check what's in a tarball are very unlikely to start checking diffs.
IMHO you're mistaken.
(a) checking the source package is not a one-liner. You need to untar to someplace temporary, run a recursive diff (remembering to not skip new files), then clean up the tempdir.
On the other hand, "git log --patch up..deb" is one simple
command; you even can add a shell alias or git alias for it.
(b) people (both the maintainer and others) routinely look at git changelogs, including with --patch or --stat.
I have no idea how unlikely my personal preferred workflow is,
being a sample size of one, but I have literally never examined a
just-assembled source package. On the other hand I run various
"git log" commands habitually, and based on the nonsense I did
find on several of those occasions I believe I'd notice strange
changes pretty soon(ish).
-- -- mit freundlichen Grüßen -- -- Matthias Urlichs
Attachment:
OpenPGP_signature.asc
Description: OpenPGP digital signature