Giving the benefit of the doubt to the gazillion lines of code running on your computer, that you and several million other people downloaded from the same place, with verified SHA sums, is actually pretty reasonable. If you're truly paranoid, all you have to do to ensure that you're benefiting from crowd-sourced verification is verify the SHA sum code.
Stuff running on some website that only the web site admins can see is not in the same ballpark.
Where you download it from and SHA only gives guarantees about integrity of the data transfer. I am talking about trusting that the code does what it is supposed to do. Bugs can hide in code for years, whether inserted accidentally or intentionally, as the Heartbleed episode demonstrates. SHA does absolutely nothing against this.
I was addressing malice as well. Having the same code is no guarantee that it does not contain an intentional bug that can be exploited. Neither is knowing that it came from some specific entitity (code signing), because again this presupposes establishing trust. There is no technical solution to trust.
But if the code you have is the same as the code millions of other people have, it's safer to give it the benefit of the doubt than a single server than only a handful of people have access to.