I care more about if maintainers actually audit the contents of packages rather than if their builds are reproducible (though the latter still matters)!
Not just is there obvious malware, but also are there obvious vulnerabilities, is the person that wrote it of good nature / located in a country where they’re safe from nation state pressure, is there a lot of history behind the app.
Obviously this is too much work for any individual and requires a chain of trust. I believe fedora and Ubuntu at the very least audit to some extent but I’ve never seen any doco.
Isn't this chain of trust essentially what crev [0] tries to do? FWIW Rust implements cargo-crev [1], but I suppose you could extend this to AUR packages with a bit of work.