I believe this is a good opportunity to come back to this “AUR Security discussion” where I made a statement about checking the source an AUR package is using:
The screenshot from @Bink is a good illustration how that can work. The screenshot shows the thunderbird-beta-bin package resp. the corresponding PKGBUILD. A malicious packager could potentially use a modified thunderbird source code which would compromise your emails.
Check the source, Luke. In the PKGBUILD you see that it pulls the source directly from mozilla.org. That is good. And there do not seem to be any other sources which look suspicious. That is a first and very simple security check.