Sibling comments have discussed how this affects Debian, Ubuntu, and opensuse -- any Arch users know how this affects us? Seems like official repos should be fine but what about packages from the AUR?
I don’t think the AUR has a concept of package signing—a PKGBULD will often download a tarball from somewhere and any signing is ad-hoc. The official repositories use their own key ring (which is distributed without a key server).
Correct. The only time when this would concern you is when you add a third-party repository, e.g. one of [1]. This usually involves a manual TOFU step where you do the equivalent of `gpg --recv-keys $ID` on the pacman keyring.