The packages in official Arch repositories (core, extra, community, and multilib) are all packaged by Arch developers and Trusted Users. Their names and email addresses are known to us (use pacman -Si package_name to see who packaged it). EndeavourOS ships with an additional repo called endeavouros). Packages in it are packaged by somebody on the EndeavourOS team, probably @manuel or @joekamprad (unfortunately, the name of the packager is listed simply as “EndeavourOS”).
The mere act of using Arch Linux (or EndeavourOS) presupposes trust in the official repositories and their maintainers. Specifically, we trust them not to intentionally or by omission package malware into the software we download from the official repositories. Without this trust, one should not be using Arch Linux. It does not matter what package we’re talking about, whether it is something that every Arch Linux user has installed, like bash, or something very specific like filezilla – they are packaged by the same group of people so this trust is all or nothing. It’s as simple as that.
The same is true for any unofficial, third-party repositories you yourself add to your pacman.conf: you need to trust the people who maintain them in order to use them (so it’s a good idea to know who is the maintainer). Read and understand this before you add a third-party repo: [FAQ] The dangers of using 3rd party repos
However, If you are concerned about some third-party (for example, a mirror server owner, or a hacker with access to a mirror server) intercepting your downloads and serving you malware packaged into packages, that is impossible. Only the original packager has the power to include malware into packages, because all packages are checked against any tampering by the package manager on your computer. If the signature of a downloaded archive file does not match, you get an error and nothing is installed. So, no trust in mirror owners is necessary.
None of this applies to the AUR, as the AUR is not an official repository and it only contains PKGBUILD files that contain the instructions how to package something yourself on your local machine. For any software from the AUR, you are the packager, using somebody else’s build scripts (who may or may not be trustworthy), so it is your responsibility to make sure no malware gets packaged into the packages you build.