> And what if upstream is problematic?

Then don’t install the package.

It’s on you to decide whether you trust upstream or not.

You’re free to use any scanner you want on the upstream sources if it makes you feel safer. (I’m currently working on a makepkg extension that allows just that.)

The core and extra repos are curated, and every package maintainer is doing their due diligence (and more) to protect the users. But on the AUR, nobody is going to do that work for you.