Yes. (a) You are not a typical user; (b) disabling SIP takes five minutes plus whatever productivity loss is caused by rebooting; (c) it isn't actually necessary to disable SIP to make git inaccessible, as described later in the post; (d) even if it were, you would get most of the protection by just installing your own git in a different location and changing PATH; and (e) the vulnerability in question is incredibly minor anyway, considering the percentage of the time that most people follow checking out a repository by intentionally running arbitrary code from it, which (f) would at least partially justify Apple not backporting the patch, but then again, nobody in this thread has even verified that they haven't.
It is not necessary to run anything except "git clone". An attacker can construct a repository such that merely attempting to clone it would execute arbitrary code. This is why the vulnerability was given a CVSS base severity score of 9.8 (out of a possible 10).
I know, but Git is mostly used for software development, and people mostly clone unfamiliar Git repositories with the intent to build and/or run the included software, mostly without performing a full manual inspection of the code beforehand; even if they only build, most build systems allow specifying arbitrary commands to run. Thus, in the common case, exploiting the vulnerability gives the author of a malicious repository only the power they would have gotten shortly afterward anyway. Of course, there are exceptions to all of those "most"s (especially the first one, I think), but my conclusion is still that the overall danger of that particular vulnerability is pretty minor.
