Checking the hash isn't relevant here. The content is served via HTTPS, you either trust the host or you don't. A host can easily serve you a malicious binary, as well as the valid hash of that malicious binary.
Which is why many people choose to only install software from their trusted distro maintainers who add a layer of vetting for random software packages, often built from source so messing with the package isn't possible without leaving some kind of trace that can be detected later.
Indeed, by all means, prefer to trust your distro if they package a version that's new enough. Alternatively, prefer to build from source if you like. But if you trust the Rust project to be competent enough and benign enough not to include malware in the compiler itself, then it's not a stretch to trust their official toolchain juggling tool downloaded from their official website. Focusing on the curl | bash aspect is a tired meme at this point.
Your distro's overworked maintainer isn't reviewing 15+ million lines of code included in Rust.
Most likely they get the precompiled rustc binary just like rustup, and LGTM-YOLO the package. If they try to be diligent, they maybe take extra 150K lines of mrustc code they can't reasonably carefully review for backdoors either, and then use it to bootstrap the several sets of 15M lines of code they won't look at.
The one thing you may get in using your distribution is protection for the case that the rustup.sh website has been temporarily pwned. But I agree that focusing on curl | sh is nonsense.
