This kind of system should still not be designed to use shaN. Use multihash so you can upgrade ifwhen collision generation becomes feasible. (As ipfs does.)
This appears to have been due to a corrupt repo, so not a legit collision.
Repos can be constructed with what look like colliding objects. Git's "SHA1 COLLISION FOUND" is triggered if 2 objects with the same sha appear to have different sizes or types. This can easily happen due to corruption; flip a bit in the type and a tree object seems to be a colliding blob object.
Thanks @joeyh for the analysis and references. On top of all that, the global namespace would be only commits, not every kind of object, so that further reduces the risk of collision. I feel less concerned now. :-)