Some ISPs still tamper with DNS traffic irrespective of which DNS server they're to/from. githubusercontent.com has no DNSSEC, so it's not tamperproof.
It wouldn't be tamperproof even with DNSSEC for most of that ISP's customers, because DNSSEC is server-to-server, and collapses down to a single "yep, we checked DNSSEC" bit in the response header. This is a big part of why nobody does DNSSEC, and why the browsers adopted DNS-over-HTTP to solve this particular problem.
DNS traffic is plaintext. MITM is all that's needed to be able to bypass custom DNS servers. An ISP, obviously, has to be in an MITM position to be able to provide internet service.
