man in the middle – What’s the point of providing file checksums for verifying downloads?

Many projects offering binaries, also offer hashes (e.g. SHA256) of those binaries, wither as .ASC files, or directly on the web page near the binary. This isn’t to protect against network-caused corruption, as that’s ensured by the TCP protocol.

Given that the binary and the hash are downloaded from the same server (example from very sensitive software, bitcoin-core), what attack scenarios does this technique prevent?

If an attacker managed to tamper with the binary, why wouldn’t they be able to change the checksum in the same way? Same for the attacker performing MITM and tampering the download in transit.

Note that I’m not talking about public/private key signing, which is far more secure because the attacker would also need to get the signer’s private key. I’m only talking about the point of providing checksums/hashes along with downloads. This is even stranger for bitcoin-core, which has both the mechanisms and the audience to sign the file with a private key.

I can imagine that a separate, secret, monitoring bot hosted on a completely different system, could download the signature file every minute (given its tiny size) and check it against tampering, but I haven’t heard of this being done.