Since branch name parsing is done by a lot of scripts, and I can't control the default branch name, I've installed this global post-checkout hook for now until I can stop panicking and think clearly.

    #!/bin/sh
    prev_head=$1
    new_head=$2
    changing_branch=$3

    REPO_DIR="$(git rev-parse --show-toplevel 2>/dev/null)"

    if [ "$changing_branch" = 1 -a "$prev_head" = "0000000000000000000000000000000000000000" ]; then
        new_head_name="$(git name-rev --name-only "$new_head"|sed -e 's|`|_|g' -e 's|$(|_|g')"
        new_head_name_untaint="$(git name-rev --name-only "$new_head"|sed -e 's|`|x|g' -e 's|$(|x|g')"
        if [ "$new_head_name" != "$new_head_name_untaint" ]; then
            echo "
    DANGER! INSECURE BRANCH NAME.
    ">&2
            git name-rev --name-only "$new_head"

            echo "
    MOVING $REPO_DIR TO TRASH.
    ">&2
            mkdir -p ~/.Trash
            mv "$REPO_DIR" "$HOME/.Trash/${REPO_DIR##*/}.$(date +"%Y%m%d%H%M%S")"
        fi
    fi