I request one thing, you send me something completely different. I don't see how making the "something" an ASCII script makes it easier than a random binary (and there's no requirement that the random binary has any relationship with what I requested).

Oddly, I'm more used to seeing arguments that distributing source code is better than distributing binaries because you can inspect source code.

The scenario isn't that I send you something different, but that somebody else gets in between us and tampers with the data. That's what https tries to avoid.

We're arguing levels of badness here so it's a little hokey. But if you decide to open up your machine to run arbitrary code, a machine that can run shell will arguably get more infections than one that runs executables. To infect the ladder any script kiddies will need to know a 'harder' language and at least how to compile it. It's a couple more hoops to jump through. In the other case I could drive by and do scp ~/mailbox me@myserver:

"Tampers with the data" is functionally equivalent to sending me something different. There's not requirement that it looks like what I requested at all, and as long as it will execute when double-clicked, it'll do the trick.

We're already talking about running arbitrary code on a machine, compiled versus interpreted is irrelevant. And I think you have forgotten that a script with the appropriate hash-bang and file permissions is indistinguishable to most users from a compiled executable.