Original poster is suggesting that if one can change the downloaded file on the source location, then the same person can update the SHA256 string used to "guarantee authenticity". They're not suggesting a MTM style attack where one changes the string mid flight.