Some of those packages (like Brave) are maintained by original developers, it depends on the package.

Most aren't, but it's trivial to review changes to packages (all good AUR helpers show the diff on upgrades, an 99% of time the changes are hash and version, nothing else).

So you only need to check the package once, which the documentation reminds you to do about fifty times. Otherwise — play stupid games, win stupid prizes.

If the package has any popularity at all, you will get lots of paranoid users who will eat you alive and report to Arch maintainers right away if you do anything suspicious, try to link a binary from some weird website instead of the upstream URL, or even just omit the GPG signature verification key when it's available.