Malice in this context could mean that they are concerned about someone tracking the activity.
If you are connected to a server, the server is the only connection(and only one with a log) but with a torrent, there are multiple connections so multiple parties could be keeping logs.
SHA-1 has been broken since 2017. It is considerably more expensive to produce a SHA-1 collision than an MD5 collision, but certainly not impossible. However, BitTorrent v2 also came out in 2017 and uses SHA-256, for which no known collisions exist even today.
If you are connected to a server, the server is the only connection(and only one with a log) but with a torrent, there are multiple connections so multiple parties could be keeping logs.
Depending on how a file is split in the torrent, it could be possible to add malice data with a collision: https://www.mscs.dal.ca/~selinger/md5collision/