As I understand it, all downloads except for the AppImage are code-signed using Joplin's certificates and the installers have inbuilt integrity checking. The package is protected as any alteration would show as a code-signing or integrity failure. Agreed it is not obvious to the user that this is happening but it is totally transparent and requires no additional user action, such as installing and using GPG or a hash checking utility.
To be certain I just took a Joplin installer for Windows and opened it in WinHex. At a random point in the file I changed just one "nibble" from F to 0 so the single byte value went from x0F to x00. I then tried to run the installer and got this.
As mentioned previously, the AppImage is an exception and so a SHA512 hash signature can be found in each version's Releases area on GitHub (see the image in my post above).