But, if during Github's build process the sha156sum of the output binary is printed, and the hash matches what is in the release, isn't this enough to demonstrate that the binary in the release is the binary built during the workflow?

Having 55% of hash doesn’t mean you’ll make profit by attempting a doublespend

But a pool could be turned into a malicious pool by an adversary that takes control of it. A clear disadvantages of centralization is that it creates a single point of failure.

Even a malicious pool could at worst mine empty blocks for a while.

Why is this the case? I still have not studied the Monero protocol yet.

I see you!