I feel this way even more about this approach to PowerShell scripts. At the very least you could code sign [1] your script. Most PowerShell devs run with the execution policy RemoteSigned for multiple reasons. Instead of pulling your script down from the web and dangerously converting it to a string to call (with &) you can download it as a real file and Invoke-Command (icm) it. Dangerous eval versus correctly running a script.
Sure, Authenticode signing certificates aren't always cheap, and signing your script doesn't protect the script from compromise without other good security practices, but it would still show some attention to detail on PowerShell and some attempt to avoid malware compromising your script.
There's even talk in the PowerShell world about Invoke-Command directly accepting HTTPS URLs to scripts, but in addition to some security questions, it is caught in a catch-22 that not enough of these scripts are Signed so there's not enough demand for it, but if more tools like this were doing code signing there's a world where the code golfed instructions are just `icm https://yourdomain.com/some/script.ps1`, and it is more secure than these examples with (`&` or `iex`) and `iwr`.
Sure, Authenticode signing certificates aren't always cheap, and signing your script doesn't protect the script from compromise without other good security practices, but it would still show some attention to detail on PowerShell and some attempt to avoid malware compromising your script.
[1] https://learn.microsoft.com/en-us/powershell/module/microsof...