This is an excellent summary.
It cannot be stressed enough how safe the AUR is, if the user is careful. Indeed, while anyone can upload anything to the AUR, including malware, if we are careful and inspect the PKGBUILD file, we can know exactly what goes into the package: specifically, where the software is sourced from, whether it is in source code, or as a binary, that it was not modified after being downloaded (by checking the sha-sum), and exactly what commands are invoked to build it and install it. Also, on AUR website, there are comments and a report mechanism for anything malicious or untrustworthy.
In a sense, this is even safer than the official Arch repos. But it requires some effort from the user to understand what’s going on.