The owner of the website could sign responses, and you could verify them, in addition to TLS via HTTPS. I think that can make it at least as secure as package management systems.
Yep, I agree. Providing checksums for scripts to curl isn't the the norm from what I've seen, though, which I think fits in with what GP (of my original comment) was saying. Also, I'm not super convinced that most users would bother verifying the checksum; from what I've seen, most people downloading Linux distro images don't even bother verifying the checksums that are provided.