[manv1]

Really, the risk here is that the install is going to do something unfortunate, like delete everything in your filesystem because you have a space in your home directory name or cause problems because your .profile didn't end with a CR and it blindly appended it's own stuff to it.

I'm not sure how package managers prevent this sort of issue, but in general running shell scripts as root (and it probably needs to run as root) is a bad thing.

[samtheprogram]

Some package managers don’t really prevent this, particularly thinking of npm but also apt and other system package managers, because they can run arbitrary post-install scripts.

As always, you need to trust the vendor of software you install and/or do an audit of the source/installer regardless.