It’s bad practice to do it, but it makes it especially easy for end users who already trust both the source and the script.

You’re not wrong but this is what lead to the xz “hack” not to long ago. When it comes to data, trust is a fickle mistress.