I don’t think I’ve seen anybody insist curl | sh is fine from untrusted sources.
In many contexts, curl | sh is an alternative to adding some kind of additional repository to install a third party package — and in most package managers this is done as root anyway, with arbitrary pre-install and post-install scripts.
I’m not really sold on how curl | sh (with https) is any less secure than blindly following steps to add a repo.
I used to strongly dislike curl | sh, and if there’s some looming security risk beyond accidentally trusting bad actors who couldn’t be bothered to go to all the effort of setting up a repo then I’d genuinely like to know.
I have seen plenty of curl | sh invocations that pass the "-k" flag to curl, meaning that curl will allow insecure connections even if there are invalid SSL/TLS certificates.
You can detect curl | sh server-side and respond with different content than the inspectable source. The link I typically cite isn’t loading for me but you should be able to find more info if you’re curious.
