[blub]

No, you're completely wrong. The key is available in multiple places and has been available for a while, so there is some verification that can be done.

The binary will be checked by gpg, it shouldn't matter where it's from.

Finally, if the recommmendation is to run curl foo | sh, the bash script can literally not be inspected.

[jD91mZM2]

Just separate the steps? Curl to a file, inspect it, and then execute it? I don't see the problem. Most users just don't care because it's official anyways.