As opposed to blindly running the precompiled binary you manually downloaded from the site?

You're right that from a purely security-oriented point of view there's not much difference. All code that you didn't write yourself can theoretically do anything it likes to your computer. (Unless sandboxed, of course.)

But from a practical point of view in the context of convention, expectation, and trust, curlpipes and stand-alone binaries are totally different.

Some of us have the battle scars of terrible shell-script installers gone wrong. At best, poorly-written shell script can deploy cruft to strange places on your disk or interfere with data and software managed by the OS package manager. At worst, such scripts have been known to destroy data and render the whole system a brick because the author was not sufficiently familiar with all of the systems that it might be run on. I don't remember the source now but one such installer effectively `rm -rf /` on the user's machine when a certain variable ended up undefined due to a bug elsewhere in the script.

However, when I download a binary executable from a source that I trust, there's a certain expectation that the program will keep to itself and not interfere with the rest of my system or home directory beyond its own data and config files. Because _not_ doing so departs from convention and will result in a lot of angry users. Likewise I place a great deal of trust in the folks who package software for my OS because while mistakes can happen, their whole goal is a reliable and consistent system as a whole.

Individual app developers care little about my system, they just want users to install their stuff. Curlpipes _look_ attractive to them ("just paste this into your terminal, type in your root password and you're ready to go!"), but we've seen many times over that cross-platform shell script installers are rarely their core competency.

The rm -rf instance you're talking about I believe is from the Steam Linux client [0]. Which is...ironically part of the Steam binary.

[0]: https://github.com/valvesoftware/steam-for-linux/issues/3671

I'd assume that many people download and then check if the MD5/SHA hash matches the published one (e.g., search the web for the hash and see if the results look good).

Harder to do that in automated deployments that are supposed to always use the newest version available though.