Something that's hard to remember, but helps a little: if you get 3 people saying stupid things, that's only 3 people -- not necessarily representative of the people out there.

But `curl | sh` is no less secure. Download this file and execute it. Functionally the same outcome. Tell me how doing that is materially different than `apt get`. Both employ signing and checksums (just with different PKI). One delegates trust to a package maintainer while the other trusts the author directly. I truly don’t understand the paranoia and consider it tinfoil hat security theater.

the package maintainer has to go through a web of trust in their FOSS ecosystem to be allowed to distribute their packages.

A github author just has to put up a repo and hope that their fanbase aren't too versed in the language