[idle_zealot]

While I agree, how does this mesh with standard operating procedure on Windows/Mac being to download binary executables and run them? Is the analogous advice "inspect any exe files with Ghidra and fully understand them before running"? Or "only run executables from official distribution channels of open source projects the code of which you've read and understand"? Where, generally, should we place our trust in terms of what code we run on our computers?

[OskarS]

Windows and particularly macOS makes it difficult to run things that aren't code signed with trusted certificates. Same with packages in Linux package managers. That provides a large level of assurance that the thing you download is verified by a distributor that you presumably trust (otherwise why are you using their software?). Pipe to shell has no such guarantee: if a bad actor either MITMs you or gets access to their server and stuffs something bad in the script, you're out of luck.

Basically, if you believe that code signing is a good thing (and I hope we all can agree on that), curl to shell is not great security practice.