There are many ways of implementing a curl | sh installer, some of them robust, some of them not.

However they all look the same to the end user.

That's a feature and also a potential source of problems since users cannot tell if that particular application they want to install Is implementing the installer correctly or not. The outcome is that most users just trust that application (possibly because it's popular and trusted) and that's fine but it also trains the public that this installation method is ok and that gives a positive feedback for other applications to also offer their software using that installer pattern until at least one of such packages is implemented very badly or sneakily malicious.

If only a curl had a flag where you pass the sha256 of the file and it first checks it against the buffered file before outputting it to stdout.

That would singlehandedly resolve this whole kerfuffle.

The install instructions will be a slightly longer one liner and that's fine because people copy paste it anyway