No, you're completely wrong.
The key is available in multiple places and has been available for a while, so there is some verification that can be done.
The binary will be checked by gpg, it shouldn't matter where it's from.
Finally, if the recommmendation is to run curl foo | sh, the bash script can literally not be inspected.
Just separate the steps? Curl to a file, inspect it, and then execute it? I don't see the problem. Most users just don't care because it's official anyways.
The binary will be checked by gpg, it shouldn't matter where it's from.
Finally, if the recommmendation is to run curl foo | sh, the bash script can literally not be inspected.