"just give us root on your system" install scripts like that are a security thing, yes.
I think the issue is more the attitude towards security and system stability that is implied by such installation methods, which is apaprently endemic to the entire "JS ecosystem". That attitude being "who cares about security or stability?"
When It's my system and I don't want to mess with it, just set stuff up and have it run trouble free and do the things I want (and only I want), then I do care about such things and agree that JS has no place other than sacrificial toy boxes that get insulated from "real" computing like they was a modem with its phone number posted at the payphones by the 2600 meetup.
The idea is that you give it root on a VM or on a docker container.
You don't give it root on your desktop linux system you do all your sensitive stuff on of course. That makes zero sense. Home assistant really runs great even on a cheap raspberry pi if you don't have a VM- or dockerserver.
The problem then becomes maintaining it - backing up the config, debugging errors, etc. I ran Home Assistant for a while with their docker method on an otherwise stable server. One day it just shit the bed out of the blue. I wasn't going to spend the time digging into its own bespoke Linux userland to figure out how to figure out what was wrong, and I wasn't going to pave over it and spend the time redoing my meager config. In my book, software that is going to be relied upon gets installed through a distro's package manager, and last time I checked Home Assistant's maintainers are actively opposed to that.
also, your faith in "VM" insulation appaears greater than mine. if i dont trust a VM i dont trust the host running the VM.
others have different opinions and that's ok. my systems run to my standards, however quirky they may be. im stating opinion here, not attempting to inscribe Sysadmin Commandments. them's written on the wall of the bathroom stall.
edit: just for reference, the last cpu i could say i trusted was before speculative execution was a feature. since then its more about risk mitigation. i'm not paranoid, there's people worse than me, and they're nuts. I'm just cautious and lazy.
Because it is a long running process, and it has plugins. Amd because both the container and the VM are premade, you don't even have to install, you just run them.
You can extend the container image with your own Dockerfile.
If you don’t trust your hypervisor, buy a pi or cheap nuc, but also your hypervisor being 0day’d is probably far less likely than one of the thousands of apps in $PATH being compromised or malicious.
I understand not fully trusting docker, you have to trust several levels of kernel features and configuration, plus it shits all over your firewall like it owns the place.
Real virtualization is a bit more airtight, though. There have been some escape exploits but they all abused drivers that you wouldn't use heedless (shared folders, VGA, PCIe passthrough), not the virtualization layer. But that's a distinction without a different, really, so good on you for being careful!
I think the issue is more the attitude towards security and system stability that is implied by such installation methods, which is apaprently endemic to the entire "JS ecosystem". That attitude being "who cares about security or stability?"
When It's my system and I don't want to mess with it, just set stuff up and have it run trouble free and do the things I want (and only I want), then I do care about such things and agree that JS has no place other than sacrificial toy boxes that get insulated from "real" computing like they was a modem with its phone number posted at the payphones by the 2600 meetup.