As for "curl | sudo sh", yeah it looks scary, but it is not worse than downloading a .deb and then doing "sudo dpkg -i your.deb", or installing any downloaded binary on your machine for that matter. You may say something about signatures, but often, the public key you have to trust is on the same website you downloaded the .deb. In all these cases, TLS is the only thing protecting you. Going through a file you don't audit doesn't change anything, and in practice, almost no one does the audit, and few linux boxes have AV scanners.
Don't trust it? Run it a VM, container, or dedicated hardware, this is actually what they are suggesting.