it lies, as neither ssh nor sshd does not care about .pub file at all. This file is written by ssh-keygen and only exists to make it easier to create authorized_keys.

I suppose one can put evil command into .pub file and wait until user does "cp id_foo.pub authorized_keys" without examining contents of either file. But that does not happen often at all (how often do you setup new machine?), and it is defeated trivially by checking authorized_keys file after you update it, something which is always a good idea anyway.