MD5 will ONLY check the integrity of a downloaded file .. but it does NOT verify the downloaded file comes from a trusted source, signing the ISO and verifying it against a know public GPG key is a way to add a chain of trust that the ISO image came from the publisher.
When the Mint servers were hacked, and compromised ISO was uploaded it would have been possible for the hacker to have also changed the MD5 checksum on the website and you'd never have known because you'd be checking the ISO against the hackers MD5.
Digital signing of the ISO images themselves and then checking them against a known good and trusted public key from clem (the author) would have failed and it would have been clear that though they passed an MD5 check (against the bogus checksum) they were NOT from clem.
Peppermint do the same thinghttps://peppermintos.com/gpg-verification/
as do Mint (and most other distros) now.
At the end of the day it's only as necessary as your paranoia levels .. but the option is there for security sake.
MD5 checksums are ONLY a check for file integrity (corruption) .. they do NOT verify you're using the right checksum.
GPG signing is both a file integrity check and a security check the file came from a trusted source.
If you're only going to use MD5 checksums, it would be a VERY good idea to check the published MD5 is the same on multiple websites .. a hacker is unlikely to have hacked multiple different servers and changed the published MD5 checksum on all of them