[timeflex]

You mean the script that you'd have to check every time you want to install? At least with Docker, unless you're running the container privileged then you have some isolation. However, a package manager is usually the recommended approach since those apps are usually checked by maintainers & often routinely scanned for vulnerabilities. A package manager is my preferred approach.

[echoangle]

Just for arguments sake, how did you install docker engine? Did you add their apt source where they can push anything they like into their packages?

And also, you shouldn’t rely on docker for safety, it might or might not work but docker isn’t a reason to just run an untrusted program.

[timeflex]

I'm not even using Docker. I use Podman in rootless mode installed using the system package manager. Even if an app found a way to break out of the container, it wouldn't have elevated privileges.

I'm not saying security is about perfection, but encouraging people to curl something to the shell with sudo is poor practice. I get that it is a newer piece of software, so I am forgiving. But getting it packaged into Homebrew, WinGet, Nix, etc. is more ideal. Some of them may verify a signed package, ensure reproducible builds, track changes for proper uninstalls, etc.