The Chaotic AUR may actually be the lesser of the two evils these days. In the past your logic would be sound, but the Chaotic AUR implemented safeguards a while back to automatically scan AUR packages for malware before the are built.
AUR packages had already been identified as infected and they were already red flagged by the Chaotic AUR’s build scripts before the AUR malware contaminations became widely known.
I’m not saying the Chaotic AUR safeguards are infallible by any means, but it at least adds any extra layer of security over and above installing directly from the AUR.
I just thought I’d mention the fact that the Chaotic AUR had implemented safeguards against malware infections a while back, for those that are concerned that the Chaotic AUR is less secure than packages downloaded directly from the AUR.
It always pays to be cautious, but the Chaotic AUR is not inherently riskier than the AUR now that screening safeguards are in place.
Just FYI, for those that didn’t know about the Chaotic AUR’s extra level of security screening that was implemented a while ago.