What is wrong with just accepting a tag declared as a source?
So that you do not have a guarantee that this is correct, you need to trust each person who has access to the repo (allowed or not), so as not to create a false lie. Signing guarantees (at least as much as GPG can offer) that the person who created the tag is who you think it is.
What damage can a fake tag do if the tag does not change the commit?
Is absent. You seem to have figured out two different ideas. A tag and a commit are completely separate objects - a tag indicates a commit, but the tag is not a commit. This way the tag will never change the commit. This is potentially dangerous: a fake tag will not change the commit history unexpectedly and will be easier to go unnoticed.