I think the point that sebzim4500 was making is that the script is downloading an arbitrary binary and running it and that this isn't any less dangerous than running an arbitrary script, so you're screwer either way.
If someone wanted to do `rm -rf /` on your system, they wouldn't put it in the setup script you're piping to sh: they'd put it into the binary, making your inspection of the setup script effectively useless.
If an installation script is downloading an arbitrary binary then Iām not running that script unless that binary also comes from a trusted source. We have PKI to prove that sites are who they claim to be. I only run binaries from trusted sources.
If someone wanted to do `rm -rf /` on your system, they wouldn't put it in the setup script you're piping to sh: they'd put it into the binary, making your inspection of the setup script effectively useless.