Except curl | bash definitely executes code by the author controlling the URL you put in, and if the URL is HTTPS, in a reasonably secure fashion.

There is no validation when you winget whether or not the executable is from the official source or that a third party contributor didn't tamper with how it's maintained.

Windows already has

irm <URL> | iex