[dathinab]

For completeness another trick to deceive people can be to have (git/http) sources from places other then just the official repo, like in the example you linked. When changed they will just show up as a a "hash" change... which is fine for the original upstream source (if trusted) but not for anything else.

But in general I would think 4 times about installing any AUR package no longer reasonable reviewable in the parts not either in official packages or the upstream source (including patches, dependencies, etc.).

Sometimes throwing something into an untrusted OCI image you run in a VM (instead of lightweight containers) is just the better option... sadly, also often still painful to setup.