To be honest, you place a lot of trust in people you dont know when you install any operating system, that includes commercial ones. Most people have no idea whats included in the code of operating system they are running.
But you have to trust some people for software or else all you have is hardware that cant be used. Projects like Manjaro and others have security in mind when they release anything. All packages, and even the iso’s are signed with the projects pgp key. There are multiple layers of people looking at everything.
In addition to that all the packages used for the operating system, even community versions, are stored in the projects repository.
In the end it is the projects good name and reputation at stake. Once lost its likely impossible to get those back. Thats why projects are very security minded and will do everything they can to make sure no harm comes to its users.