Windows executables can be signed, and Homebrew formulae are theoretically reviewed and check a hash when they download binaries. With curl | bash, maybe the download fails partway through, or a hacker has replaced the executable on the server or the URL in the copy/paste instructions with a homograph spoof, or the site serves malware when it detects a curl agent.