It's not just a security thing. If you install something via curl|bash, how do you uninstall it? How do you update it? Do you know what it did to your machine? What config files it touched?
Yes, there's always sloppy packages, or ones that need side effects (but that's usually very rare, and sometimes even then it's because of sloppyness), but installing something via package manager comes with certain expectations (I can update it, I can uninstall it, it's usually got a few standardised places where its config lives, etc). curl|sh makes most of these things a greater nuisance rather than frictionless
1. That's moving the goalposts; any normal package manager has significantly stronger likelihood of being able to do those things than curl|bash. Don't let perfect get in the way of good.
2. Actually, no, I will fight you on this: Unless you're actively trying to break them, docker, nix, flatpak, or any of their ilk will trivialize updates and give you guaranteed uninstallation and going full container will absolutely let you lock down exactly what an application is capable of touching or leaving behind (so, easy with podman/docker, varies with flatpak).
