An example? Ok. Back when something else was using a simple CRC, someone tried to replace a file with another, bypassing the normal history system. The CRC was good enough to detect it; so, something was needed that was good enough to detect/stop this.
But more importantly: The hash is the filename of the file. It is critical that the hash be good enough that you won't get duplicate filenames. CRC doesn't do that. Sha-1 does.
The checksum has to be good enough to make a unique filename in normal use.
It does not have to be good enough to guarantee non-alteration, but that's a really good secondary; it does have to be good enough to detect accidental damage (such as memory/disk/network/driver/etc corruption).
Now, a secondary benefit of the whole "layer upon layer" approach: The hash of the last commit is only valid if every file and commit to date is accurate. If you know the hash of your last commit (20 bytes, I think), and you can validate all the hashes in the past, then you know that nothing has altered any file outside of the git mechanism.