Apparently multiple antiviruses flag it [0]. A tool that can inject whatever during the OS installation process should be closely scrutinized. Some also have trust issues with software that comes from China.
Well, antiviruses usually flag also pentesting tools like nmap (this is just an example, I didn't actually test it but I wouldn't be surprised if it is flagged) because those are "hacking tools" even if they don't do anything by themselves. So it would be more interesting to know why it gets flagged, just saying that it is flagged doesn't mean much as like in the previous example, they could decide to flag something just because it is unusual.
I've heard zee-shell (like seashell)/zed-shell most often but I don't think there is any nearly universally accepted way like say bash. I've heard both zish and zee/zed-ess-aitch/haitch before but not as often.
I've been pronouncing it as "zeesh" in my head, which works well for me. I think I got that from a coworker? Not sure. Works fairly well with "oh my zeesh" as well, which I like.
The existence of oh-my-zsh has always implied to me a common pronunciation that rhymes with "gosh", which is really the only way their play on words works.
