[jraph]

Except you cannot even look at the contents of the file being piped beforehand and hope that the same file is downloaded when you actually pipe it. It's more like running setup.exe using the administrator account.

[viraptor]

Sure you can - first pull, then there's many tools to help you. For example https://github.com/larsks/undocker/

[ownagefool]

Indeed.

You can also pull via the sha rather than the tag, which gives you significant extra assurance.

docker pull docker/binfmt@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a

Once you've confirmed you're happy with the script, I don't believe there is any issue with automating this.

docker run --rm --privileged docker/binfmt:@sha256:5a9ad88945dff7dc1af2ef7c351fe3dd9f7c874eb2c912c202ced088d21c178a

In theory, the underlying container cannot be changed, which is what most of the issues with piping curl into bash is.

[jraph]

Isn't that akin to extracting setup.exe? You still don't get to inspect the binaries bundled in the image.