Found two great posts on how to take some precautions when using the Arch User Repository. To whom it may concern.
How to review an AUR package - Bert Peters https://bertptrs.nl/2026/01/30/how-to-review-an-aur-package.html
AUR Chaos malware: an analysis What happened, and an investigation of the malware - mh4ckt3mh4ckt1c4s https://www.mh4ckt3mh4ckt1c4s.xyz/blog/aur-chaos-malware-analysis/#conclusion


Good question. I haven’t used custom hooks myself, but I believe you are correct. The alpm (Arch Linux Package Management) hooks manual states:
So I guess the blog post means to say, that hooks are not supposed to be added automatically at installation of a package.