There is no threat model that doesn't also apply to pretty much every other distribution method.

It's just people who have internalized "don't paste commands from the Internet into your terminal" and aren't thinking about exactly what makes pasting commands from the Internet into your terminal dangerous, and how that applies to this specific case.

Nah bro package manager where you copy and paste their custom repo and key from the same website that hosts the `.sh` is definitely safer, trust me

/s