Comment by embedding-shape

> the diffs only really show that it's coming from the same source

What else do you have to review? Both in the cases of binaries and source, the idea is that you trust upstream already, otherwise you shouldn't install software from them. And since you trust upstream, the only thing you need to review in the PKGBUILD is quite literally: Where is this stuff coming from, is it the official domain/repository? Are there other non-official dependencies? Are there patches applied?

Once you've reviewed those, you're done, and as safe as if you installed straight from upstream, zero false sense of security here.

You're mixing concerns here, as what you describe is completely different issue.