Chrome is in the main repos as chromium. VS Code is the "code" package. I don't know what vpn clients you're referring to, but networkmanager is built-in and has support for openvpn and wireguard.

Yes, proprietary software has to be installed separately, but for things like cloud password managers you're already putting your trust someplace else. You're also not likely to be hit by out of these flyby attacks, because the stuff people want is popular and has people watching it constantly and reputable people maintaining it. These patch/fix packages are suspicious looking and probably didn't have a single person touch them.

And what distro does package those?

That's what Flatpak is for. If you must install crappy proprietary software, at least get an official package from the developer.

Some of those packages (like Brave) are maintained by original developers, it depends on the package.

Most aren't, but it's trivial to review changes to packages (all good AUR helpers show the diff on upgrades, an 99% of time the changes are hash and version, nothing else).

So you only need to check the package once, which the documentation reminds you to do about fifty times. Otherwise — play stupid games, win stupid prizes.

If the package has any popularity at all, you will get lots of paranoid users who will eat you alive and report to Arch maintainers right away if you do anything suspicious, try to link a binary from some weird website instead of the upstream URL, or even just omit the GPG signature verification key when it's available.