Right, the point of the thought experiment is to inject malicious code only in cases where someone is piping directly to bash without reading it, and not in cases where they might have the opportunity to read it. So in that case you would not inject malicious code. That is correct for the exersize.

I hate it when I do that, look at the script and realize that the script itself curl | bash other scripts.

Unless there are other sane ways to install the project, I just put in on my blacklist and ignore it.