The point is you download the key only once - the first time. The probability of getting infected the first time is lower than the probability of getting infected the first time plus with any of the manual updates. And you can still use keybase or other alternative sources. But the education of how to do this properly is generally low, that's true. Nostr could make it more user friendly in some aspects but it introduces another problem: duplicate profiles. You have to know which specific key belongs to the person you trust.