The one thing bothering me about arch are AUR packages. How can you verify these.
Discussion
I'm really new to this ecosystem, but isn't that done if you build a package/binary (with PKGBUILD)?
Did some searches
https://github.com/LuigiD5555/aur_scanner
https://gorkaegino.com/garden/how-to-inspect-aur-packages/
I guess we need to verify this stuff ourselves. Good to know.