I also found this (old) post which explains potential problems:
Also I can’t understand how a MITM is possible: even if repomd.xml is compromised, all RPMs are GPG signed and the verification is enabled by default.
Yes, you could get a tempered metadata file, but RPMs will be the good ones.
It’d be nice to update the wiki as well with (current) instructions on how to do this for third-party repo maintainers. I see the four-year-old blog post, but in two major releases of RHEL/CentOS, I’d suspect things may have changed a bit.