Yes, this security concern is real. There are scripts that silently auto-update from the HEAD of some arbitrary git branch. If some nasty or simply buggy commit/pr manages to goes through, this code will potentially proliferate to a large number of installations that use these auto-update scripts. That may in some cases even give root access - the mother of all nightmares.
There currently are quite a few disconnected pieces at work i.e.
- compile the node/cli
- use a cron/script to do topology updates
- come up with your own service config
- use some external monitor process
- tools that handle registration + update
One possibility to reduce the attack surface, would IMHO be to only use runtime components that are issued by IOHK. Docker images are good at this. They are immutable runtime components carefully crafted with all the necessary functionality backed in such that they are self sufficient (i.e. no external service, cron, etc. needed), available for a variety of target environments and perhaps most importantly released from an official source.
Here is a CIP about this: Provide high quality multiarch docker image and k8s support