Funny how people complain about piping wget into bash, but will happily install and run random node/ruby/whatever packages downloaded from a random github repository.[1]
The truth is that program isolation sucks terribly on all operating systems that one might reasonably use for a development machine. Fixing that would be so great, but a lot of work.
[1] Perhaps you're the lone wolfling who doesn't do that, but I have seen this kind of behaviour from people on the don't-pipe-wget-into-shell bandwagon.
Certificate pinning helps with Github, but doesn't help with <random website that I've never visited before>.
(Still doesn't help if the software package itself - that is the canonical copy - is malicious - but prevents MITMing from anyone that doesn't have that particular certificate, at least.)
That being said, you have a (very) valid point. Modern OSes are... not exactly secure.
The truth is that program isolation sucks terribly on all operating systems that one might reasonably use for a development machine. Fixing that would be so great, but a lot of work.
[1] Perhaps you're the lone wolfling who doesn't do that, but I have seen this kind of behaviour from people on the don't-pipe-wget-into-shell bandwagon.