[darthrupert]

Ok, so I checked it out slightly more and noticed that the omarchy installation script enables the chaotix.cx repo, which contains packages automatically built from AUR. I.e. packages contributed by practically anyone. So you'll be trusting not just one unknown set of people (AUR) but a completely second one too (chaotic.cx).

Omarchy enables all this silently with pacman -U --noconfirm.

This is probably fine for a hobbyist, and this is what people in the Linux world generally do, but also constitutes a pretty bad supply side attack vector. Then again, not significantly worse than what things like npm/node do.

On a positive note, using the concept of migrations in a tool like this is neat.