I'm Not sure that I agree that it is automatically safer to prefer apt or dnf, and I'm definitely sure that it is not safer to prefer npm.

Safety is about managing risk. One element of managing risk is evaluating trust. I'm thinking that there are much fewer people I have to trust by copying the curl | bash install method from homebrew's secure website.

But at any rate, I completely agree that piping a curl'd script directly to the shell should be considered unsafe, even if it's from a trusted source. It's quite easy to do additional checks to reduce your risk significantly for this type of attack. You could read the contents of your clipboard with a hex editor and check for non-ascii characters. But wait? How do I install the hex editor? Don't I need a hex editor to check the install method of the hex editor? AAAAH! It's turtles all the way down!!!!