Oftentimes the installer needs greater system access than the code you're running, particularly on Windows
IME most of the randomly-downloaded software I've used does what it says on the tin. But there is a whole screening process: where did it come from? Does the originating site look legit? What are the possible motivations for the creator?
Besides there is no signing mechanism for your random install.sh. Maybe you check the SHA256 but if an attacker alters the script why not alter the website with the hashes too?