Coming from a Windows world, I've never worried about the `curl | bash` thing. If I would trust an opaque Windows executable from a site, why would I not trust an equally opaque `curl | bash`?
I've even seen people concerned about installing Homebrew that way. It is probably one of the most confusing concerns regarding `curl | bash` given that the it's a package manager designed to run arbitrary Ruby code and is often pulling down precompiled applications.
Windows executables can be signed, and Homebrew formulae are theoretically reviewed and check a hash when they download binaries. With curl | bash, maybe the download fails partway through, or a hacker has replaced the executable on the server or the URL in the copy/paste instructions with a homograph spoof, or the site serves malware when it detects a curl agent.
I've even seen people concerned about installing Homebrew that way. It is probably one of the most confusing concerns regarding `curl | bash` given that the it's a package manager designed to run arbitrary Ruby code and is often pulling down precompiled applications.