> in any event, it's more surface area. their web server being compromised and serving a bad shell script is just more that can go wrong.

If they were serving up a binary you would have the same exact threat that you mentioned.

The threat model barely, barely changes when talking about curl | sh vs downloading and manually executing a binary. Barely.