It’s a choice. We know that it’s riskier to use stuff from AUR. Which is why it’s highly recommended to read the PKGBUILD before installing the package. The basic Arch install doesn’t even include an AUR helper. That said, AUR is typically very reliable for packages with a decent userbase. It’s mostly due to the community aspect. Bad actors are caught relatively easily as the PKGBUILD is available to look at.