> I understand how it works but I don’t understand why. Let’s say I hack VLC’s website to modify their download file to add something malicious. Now the checksum of the new file is going to be different from the checksum of the website but wouldn’t I just change the checksum of the website too?

That’s entirely correct, checksums don’t protect against malicious manipulation. They serve other purposes.

It’s long been a tradition to have checksums at various download sites to protect against replication errors and in-transit corruption. This used to be an issue with FTP servers, where download completion can’t be precisely determined because the protocol just sucks. Also FTP has an “ASCII” transmission mode notorious for corrupting downloads.

So people started including checksums to allow people to quickly verify that they downloaded the entire thing, and that what they got is in working order. This is mostly obsolete in the modern age, but some people still stick to it.

For proving that the file has not been tampered with you need an actual cryptographic signature.