I think you’re missing the context. We’re not talking servers here but desktops. Arch is typically used on desktop systems. The threats that face desktops and servers are not the same. Same goes for risk and potential damage. Also please provide a source if you’re trying to debunk “common misconception”.

Your comparison was with random exes on the most targeted, malware infested operating system out there.

Many eyes are always better than no eyes. I’m not saying you shouldn’t vet the code stop misinterpreting but no one knows or catches everything by themselves. That’s why security needs transparency. If it’s as insecure as you’re saying we would have way bigger problems but we don’t. AUR is not as safe as the Arch repository sure, but definitely safer than installing random exes on Windows. It’s a flawed comparison you’re making.

If you’re paranoid you should be on an immutable distro cause xz backdoor was in some official repos. Repo maintainers do not catch everything either it was just a mere coincidence someone caught it(again thanks to transparency & many eyes on code) before mass deployment. Installing anything with root access is a risk. Going online is a risk. But there are ways to mitigate risk. Some security you’re always gonna have to trade for convenience.

Well there is far less malware on Linux tbf so comparison is not completely accurate. But same caution applies, try to vet and understand what you install. That part is also easier with the AUR as it’s transparent in the packagebuild what it does unlike random exes with closed source. It’s also a large community with many eyes on the code so unless it’s a package with few users then it’s gonna get caught pretty quickly.