I’d say verify if you can, otherwise make a “disposable” template. For example, I have a few programs that I don’t trust. I made a debian-untrusted template and installed every program there. Now those untrusted and potentially compromised programs can enjoy each others company and my private applications stay safe. You’d just have to take care not to have anything you’d consider more than useless data on any vm from this template. As for installing it onto your regular work/personal vm, I’d say it’s good enough if the program is verified and you somewhat trust the developers. For highly trusted/critical vms I’d recommend you don’t install anything that isn’t strictly and irreplacably important. Those would (probably) be your vault vm, gui vm and dom0.
I had a related question about installing an appimage via a bash script.
Remember that if you can audit the script itself, then it’s fine to run it in a TemplateVM. What the script might download or install might still be malicious, or may be compromised in the future.