How? Every package manager that I've seen so far allows installations of locally downloaded packages. Some will even helpfully download all dependencies. That's a good thing in general, however, the package could just as well contain adware/spyware. And every package format that I know of supports post-install scripts, those could easily change configuration settings. Since package install runs as root that added layer of security doesn't help here.