There's a fairly unlikely but not impossible scenario: a malicious mirror maintainer or an attacker replaces all content of a mirror with a self-built image and corresponding PGP key and signatures. This will not work for upgrading images downloaded from valid mirrors (unless the user chooses to ignore the signature check), but can affect people who download the image and install from scratch.
Those who install for the first time should have an easy way to get the authoritative key, and find out which download site is the authoritative one too.