> Either way, it’s not a problem with just pipe-to-shell, it’s a problem with any code you retrieve without TLS.

Well, yes. But the typical alternative is a tar-ball and a gpg signature - both via insecure transport, but verifiable (like with tls and a CA).

Git will typically be via ssh or https - so to a certain degree over a secure channel.