If you can get the insecure bash script onto the system you can also get a bundle with a more secure downloader (or even better, the binaries to be installed) on the system in the same way. Even if you are limited to copy and pasting ASCII text, shell archives are a thing as are a myriad of other possible solutions that do not involve downloading a binary over plain HTTP without any verification.

I think you've missed the point. Even on systems where HTTPS is normally available an attacker in the middle can trivially cause their official installer script to download and run malware by just blocking a few HTTPS connections.

This is the DEFAULT fallback behavior in their installer - not something that only happens on legacy machines.

If I install a project from GitHub on the airport WiFi I'm assuming that the authors know what they're doing and I'm not potentially getting silently MITMed. And when I find out the authors don't know what they're doing to this extreme extent, I note down to never use their project.