The .git directory, however, is top-level, rather than in every directory in your repository, so it'll only be a problem if your site root is the same as your repository root.
If the server is ever exploited then they have all your revision history (including anything accidentally checked in that you didn't rebase(?) out) but you do have the added advantage of being able to quickly check for any modifications to any of your code. My repo's follow a /public /logs/ /app so with git (over svn) none of the repo is exposed.
