This is true for git, too. However, I don't know of any git command like "svn export" that doesn't also pull the .git directory. The working solution seems to be to simply delete the .git directory after a clone ---preferably in some nice deploy script --- in conjunction with appropriate *nix file and Apache permissions.
The .git directory, however, is top-level, rather than in every directory in your repository, so it'll only be a problem if your site root is the same as your repository root.
If the server is ever exploited then they have all your revision history (including anything accidentally checked in that you didn't rebase(?) out) but you do have the added advantage of being able to quickly check for any modifications to any of your code. My repo's follow a /public /logs/ /app so with git (over svn) none of the repo is exposed.
Why are you pushing files with rsync with a working copy? That is what "export" is for. There is no special security in the .svn folder, because you are not supposed to publish it to the website.
To be perfectly honest I'm not sure if its an rsync or a checkout. I'm not the sys admin or the person who set up the process. But doing an export makes sense, that was something I was thinking about after I discovered this. Thanks for the confirmation.
Regardless, this problem exists and it exists on some extremely large websites.
I mentioned this to our sys admin. He made a good point... Export will copy every file in the repository over, every time. Our repo is quite large and we push often. We use rsync so it only copies the most recent changes. They also go out to a number of servers.