A package is at least a signable, checksummable artefact. The curl | sh thing could have been anything and after running it you have no record of what it was you did.
There have also been PoCs on serving malicious content only when piped to sh rather than saved to file.
If you want to execute shell code from the internet, at the very least store it in a file first and store that file somewhere persistent before executing it. It will make forensics easier
I've seen deb files that do everything in a post-install script. There's no way to identify this before downloading them (they came from a hosted repo, were signed). Some of these download files based on an internal manifest, others just run `pip install`, and others download a list of other files that need to be downloaded.
There's no guarantee packages are actually making use of package features in any reasonable way, other than convention.
If you're going to run code without inspecting it though, the methods are similar. One case has https, the other a signature (which you're trusting due to obtaining it over https). You can't inspect it reliably only after getting hypothetically compromised.