So 100%, I agree that it's highly dangerous that the distro's the next tranche of people unfamiliar with linux (gamers dissatisfied with Windows) move over with, are based on hecking Arch. It feels like a massive upcoming footgun.

I think the issue is those repos being based on Arch though, not Arch itself.

To be fair, among all the linux users I know, no one except developers/cs-adjacent would actually get hit by this. The point is that "noob users" use packages that are, to put it short, maintained by a big company. Or it's something that's there in the official repos. And the big companies always maintain their own supply chain till the end, i.e they maintain their aur packages or their curl | bash endpoint themselves. So it ends up being alright.

Stuff that tinkerers use is often some random fork of a fork of a gitHub repo, maintained by someone else, and the aur package maintained by a fourth person. That's where the mess is. Thankfully, these are also the users you can expect to read a pkgbuild diff.