I think there is some nuance to the question here. The gateway might check the hash but you’re trusting it to do that since it will probably return you the complete file so there is no way to check that the CID actually matches. The CID is computed on the merkle-dag not the file and you don’t have that information once it’s be reconstructed back into the file. I believe you can now request that the gateway return a CAR file which does contain this information so you don’t have to trust the gateway if you retrieve the file this way.
As far as changing the file on your local node, there really isn’t really even a concept of changing a file. Any change you make will result in a new CID and conceptually a new file. If you did decide to lie and distribute blocks with a non matching CID the receiver would check if the CID matched the data, see the discrepancy and reject that block. I don’t know if IPFS has a mechanism to block or throttle nodes that continually provide bad blocks.
You can see from this recent post that a local node running IPFS even detects bad blocks from what is probably a failing hard drive rather than malicious intent How can I (forcibly) overwrite a damaged block in the repo with a good copy?