Yeah, but a browser isn't something that you probably want to be getting from an untrusted source. Hell, random malware aside, the Kremlin themselves could probably just actively distribute a modified Firefox, see what people who don't want to be blocked are getting up to and grab their credentials to websites.
I mean, there are ways to do it. You find some alternate source that you trust to get a hash of a browser release or a copy of signing keys or something and get a signature from someone you trust and validate that, but that's narrowing down the pool of people for whom the browser is accessible a long ways.
I mean, yeah, if I were in Russia, I'd probably use an SSH tunnel to get out. They can block VPN providers that don't apply the government blocklist, but I don't believe that they're prepared to kill outbound SSH. But the government just needs to block the vast majority, and the vast majority aren't gonna be doing that.
Like, you make the path of least resistance to live in an information bubble, then make the resistance to doing something else high enough, and you've got the 99.9% solution that you need.