Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services.
That’s why I always recommend not using Aur and that’s why I’ve always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur.
Any security measure is too little and that’s why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.
Aur is probably the main reason why many people use Arch and derivatives. However, many users are unaware that aur is not an official Arch repository and that, as you say, you are the one who has to monitor the pkgbuilds of each installed aur package. Normally the most used aur packages tend to generate more confidence but that does not prevent that package to include malicious software in a version change and having root access to the system can take control of certain system services. That’s why I always recommend not using Aur and that’s why I’ve always found Manjaro to be a great distribution, as it retains packages for a few days to check them and discourages the use of aur. Any security measure is too little and that’s why any security tool you can configure is advisable. In a rolling distribution where new code is constantly entering the system, it is essential to have selinux and secureboot enabled.
FYI, non-Arch distros can use AUR with an Arch distrobox. So people shouldn’t be using Arch just for AUR.
Being in a distrobox may or may not protect your system from potential malware, that I cannot say.