`curl URL | sudo sh` doesn't have a means of verification of what the contents of the URL points to.

Sure a binary can be swapped in other places, but they generally can be verified with hashes and signatures. Also, a plaintext install script often has this problem in another layer of recursion (where the script usually pulls from URLs that the runner of the script cannot verify with this method)