And yay warns you before anything happens and prompts you to review the PKGBUILD files and any patches for this very reason. So there are at least two "are you sure?" confirmations needed before even building anything.

This is a situation where you have to go out of your way and be naive to be affected. You simply can't protect the user from everything.

Yeah, it is called an "AUR helper" officially because it just automates these processes for you.