This is true when the install script is indeed from a source you ‘trust’ but there are also sites that aggregate many apps into ‘one install script’ or I have seen StackOverflow answers list these types of install command to install a missing dependency. I personally wouldn’t be too quick to just trust those.
Yes. But a one-line install script is easily auditable. I mean, the URL you are fetching and executing from is in your face. Validate URL, consider your trust - that's all. It's the same what we've been taught before we enter credentials within any site: validate domain.
It's fairly easy (trivial) to serve a different install script to a full web browser than to curl.
That's just one of the problems, but I'd say it's the main one. If you truly trust the creator with install power, download the script yourself with curl/wget/whatever, have a glance if it's what you expect, and fire away.
No, you need to verify the application itself too.
That's the major problem with these scripts, you rely on the web server not having been compromised, the release builder not having been compromised and you not being MITMed. Now, someone might inject nasty changes into a code repository, but it tends to be harder.
