I’ve gone through and responded to the other top level comments as well, but another massive issue you could add to your edit is that servers can detect curl <URL> | sh rather than just curl <URL> and deliver a malicious payload only if it’s being piped directly to a shell.

There’s a proof-of-concept attack showing its efficacy here: https://github.com/Stijn-K/curlbash_detect

To add to OP’s concerns, the server can detect if you run curl <URL> | sh rather than just downloading the file, and deliver a malicious payload only in the piped to sh case where no one is viewing it

https://github.com/Stijn-K/curlbash_detect

You can detect server-side whether curl is piping the script to Bash and running it vs just downloading it, and inject malicious code only in the case no one is viewing it

https://github.com/Stijn-K/curlbash_detect

So that would at least be a minor improvement

My job is literally to make Linux distros using Yocto for various boards. I’m constantly writing new build scripts or updating build scripts, debugging the kernel/systemd/glibc and whatever libraries are on the system.

All of my work and personal desktops run some version of Fedora Atomic or a uBlue variant right now.

With distrobox/toybox/brew and using podman/docker/KVM+qemu, even as a tinkerer, it’s great