Is it not? If GitHub were asking me to download and run code from a github.io subdomain without checking a signature, or something of similar risk level, I'd be concerned. I'd also be correct to be concerned, since anyone can put anything in a github.io subdomain -- I'd need to make sure that github actually owns that repo. Strictly speaking that's orthogonal, and github does actually own the github.io domain. The domain still seems suboptimal to me, but I don't make those decisions.

And yes, a bad actor could just as easily register rustup.dev. Nobody ever claimed that checking the TLD is sufficient to make a site trustworthy; only that it appears a bit shady. Unless you're already familiar with Rust (or at least with a particular aspect of startup culture), there's no obvious reason to choose .rs. On the other hand, domains in somepopularsite.unrelatedtld have been a phishing staple for decades -- making the shady vibe at least a little bit reasonable.

I meant that the logic implies that https://github.io is shady because it uses the ccTLD of British Indian Ocean Territory despite being unrelated.

Of course you should cross reference the authenticity of any URL you are about to execute as a shell script. No one is saying not to.

But your point seems to agree with mine: it’s only as shady as it is unfamiliar. The answer shouldn’t be to come up with a URL that lowers your guard. Instead, users should get familiar.