The AUR (Since you mention yaourt) or PPAs are the linux equivalent of downloading random crap off developer homepages though. They have benefits in terms of updates etc. but they're no more secure (And you may want to look at the next PKGBUILD you install and see how many of them are literally just grabbing stuff off third party servers anyway)
That's how pretty much all packages in any distribution are built.
Note the included hashes — if the file on the server gets replaced, the building process will complain. (Sure the package maintainer will probably just replace the hash :D But if the file changed but the version number didn't change, or there was no release announcement, that's suspicious…)
But arch pulls these files and rebuilds every time, right? Compared to most other distros where only the (more) savvy maintainer does these steps.
Don't arch end users just assume there's a new version out and the package hasn't been updated, ignore the error and install anyway? Or are they better trained to take notice of this suspicious stuff?
I don't remember how Arch does it, but in FreeBSD Ports you need to actively replace the hash in the text file, there's no easy ignore option. (FreeBSD also mirrors the files on the project's servers, which is pretty cool)
Note the included hashes — if the file on the server gets replaced, the building process will complain. (Sure the package maintainer will probably just replace the hash :D But if the file changed but the version number didn't change, or there was no release announcement, that's suspicious…)