Using the AUR largely expects users to understand the basics of shell/BASH scripts, which is what a PKGBUILD is. The most obvious source to check is what URL(s) the PKGBUILD is pulling in for a package's source(s). Are these URLs sourced from official or otherwise trusted sources for the application or component (such as from the app author's download site or their git forge)? Does the PKGBUILD make any claims of what is being downloaded and does the target URL's contents match that? If either of these checks fail, it's best to avoid that package.

Additionally, does the PKGBUILD attempt to do things like obfuscate data such as URLs or tokens for downloading? Does it attempt to recklessly delete or modify files/directories (rm -rf, other recursive functions)? Does the PKGBUILD make use of any arbitrary execution statements such as exec or spawning subshells? If any of these check true, the package should seriously be revised before attempting to install it. System-level software installs on Linux systems should never be complicated enough to need fancy execution techniques nor reckless file management.

If you are concerned with security, you can install postmaster or any other firewall force block all the internet connection and deny all the connections and then manually start allowing apps and process access to internet.

It's an annoying process. It takes a lot of time to set up, but once it gets going, you will be mostly secure from this type of attack.

So, sort of security over convenience.