Your comparison was with random exes on the most targeted, malware infested operating system out there.
Many eyes are always better than no eyes. I’m not saying you shouldn’t vet the code stop misinterpreting but no one knows or catches everything by themselves. That’s why security needs transparency. If it’s as insecure as you’re saying we would have way bigger problems but we don’t. AUR is not as safe as the Arch repository sure, but definitely safer than installing random exes on Windows. It’s a flawed comparison you’re making.
If you’re paranoid you should be on an immutable distro cause xz backdoor was in some official repos. Repo maintainers do not catch everything either it was just a mere coincidence someone caught it(again thanks to transparency & many eyes on code) before mass deployment. Installing anything with root access is a risk. Going online is a risk. But there are ways to mitigate risk. Some security you’re always gonna have to trade for convenience.