That's a good question. I believe it is more important in some bigger or more significant projects, when you want to know if commits really come from a legitimate person.
Because the private key (and passphrase) is known only to a specific person - by seeing that a commit is signed using that key, you can trust the content of this commit. Unless that person's private key is leaked and passphrase is cracked or obtained in other way, there is no possibility to create a malicious commit by an impersonating real author.
Think about such big projects like Linux Kernels. These are wide used products and the opportunity to upload a backdoor or vulnerability can be really tempting for malicious actors.