For helm and most other golang apps, you just need to download and put binary into your $PATH. They usually put them onto github releases, so it's really low friction way to install a genuine application.
My understanding is that they've more or less always done this for various reasons: security patches, compatibility, dependency versioning.
I understand the historical reasons that led to this structure for package management, especially with how brittle C dependencies seem to be, but I truly hate this practice. It seems to make it exceptionally difficult for authors of major software to establish any sort of invariants or security boundaries.
Now to keep them updated is another story.