Just want to add, yes, this is a security risk, the packages built from the AUR are not supervised actively. The Garuda repository has packages maintained and supervised by us. If you want to make sure, you should check these packages yourself, or you could start an initiative here to check packages with the community as a whole 
(I just want to note, chaotic-aur is not an optional repo in Garuda)
That's just how it is unfortunately. We don't have he manpower to manually check these AUR packages, but most of them are quite popular on their own and the likelyness of a malicious package proportionately lower, but not zero.