Yeah not sure where that came from but as you say, you can pin to a tag/commit, and Go's module proxy stops you from having someone re-push the value of a tag, once it's had someone download a dependency.
You also only pin, as there's no way to do a range, so IMO that makes it nicer and more explicit than other languages / toolchains with respect to pinning