Well you mentioned it in your comment, tags are not specific commits. Go Modules standardize around SemVer, and fallback to hashes only when it needs to. The reality is anyone can git push -f and change what a tag points to currently.
So the scenario goes like this:
1. Someone requests a module from GoCenter that is currently not in it's caches.
2. Gocenter downloads the requested version v1.2.3, and stores that.
3. Bad/Careless/Ignorant/Evil (depending on circumstances, I guess) git push -f's
4. Module is requested in Google's module proxy, which now loads a "v1.2.3" into it's local caches, but it contains different code now than "v1.2.3" of GoCenter
Outside of git push -f, there are other hacky techniques you can use to "update" the code a tag points to.
So the scenario goes like this: 1. Someone requests a module from GoCenter that is currently not in it's caches. 2. Gocenter downloads the requested version v1.2.3, and stores that. 3. Bad/Careless/Ignorant/Evil (depending on circumstances, I guess) git push -f's 4. Module is requested in Google's module proxy, which now loads a "v1.2.3" into it's local caches, but it contains different code now than "v1.2.3" of GoCenter
Outside of git push -f, there are other hacky techniques you can use to "update" the code a tag points to.