Really? You rail against ppas and in the next paragraph you talk about AUR? Like its some how better?
You talk about signed packages. Who exactly signs the AUR packages?
Do you even know where the AUR source comes from? Do you? Hint: it comes from github, and the github account is Mega NZ.
Do you really know who's hands it has passed through? What changes they made?
Why would you trust Mega NZ enough to use their zero knowledge cloud, but not trust their original packages and instead trust packages that have lurked on three other storage clouds.
Who do you think protects themselves from the US Government and the British and the Germans and the Russians more carefully, Mega NZ or Github? or AUR?