>You have to review the source of every PKGBUILD from the AUR you install, full stop

Believing that even a small fraction of users actually do this is deeply detached from reality.

I use Arch on my dev qemu VM and actually review all changes all the time.

It is not that hard with small amount of pkgbuilds:

  find ~/.cache/yay -maxdepth 1 -type d
  /home/virt/.cache/yay
  /home/virt/.cache/yay/google-chrome
  /home/virt/.cache/yay/ngrok
  /home/virt/.cache/yay/rancher-k3d-bin
  /home/virt/.cache/yay/simplescreenrecorder
  /home/virt/.cache/yay/ttf-comfortaa
  /home/virt/.cache/yay/cursor-bin
  /home/virt/.cache/yay/yay
  /home/virt/.cache/yay/volta-bin