It seems even upstream doesn’t fully support it:
https://bugzilla.redhat.com/show_bug.cgi?id=1360939
I also found this (old) post which explains potential problems:
Also I can’t understand how a MITM is possible: even if repomd.xml is compromised, all RPMs are GPG signed and the verification is enabled by default.
Yes, you could get a tempered metadata file, but RPMs will be the good ones.