That’s why it’s one step above. The user is given an option to read the PKGBUILD (or a diff with the cached copy if it exists), but beyond that, it’s still unverified arbitrary code from an external source (the project’s actual source, binaries, or packages from another repository). Packages in the official Arch repos are verified by the downstream packagers. For AUR packages, it’s up to the community to moderate itself, and the user to determine whether the package is trustworthy, and I’m willing to bet that not many people do it. I certainly don’t vet everything I install.
That’s why it’s one step above. The user is given an option to read the PKGBUILD (or a diff with the cached copy if it exists), but beyond that, it’s still unverified arbitrary code from an external source (the project’s actual source, binaries, or packages from another repository). Packages in the official Arch repos are verified by the downstream packagers. For AUR packages, it’s up to the community to moderate itself, and the user to determine whether the package is trustworthy, and I’m willing to bet that not many people do it. I certainly don’t vet everything I install.