I am not an Arch maintainer or developer. As far as I’ve observed,
packages are moved from the official repositories to the AUR when the
upstream software has been discontinued and patches no longer make
sense, for example, when dependencies have also been discontinued, and,
of course, especially when CVEs are virtually impossible to fix. But
even then, packages end up in the AUR first. That was the case, for
example, with an ancient version of WebKit. So things like outdated GTK
or Qt versions end up in the AUR. Presumably, this also applies to
packages that members of the Arch team have no time and inclination to
maintain. It’s rather unlikely that packages maintained by upstream
would become malicious. Orphans in the AUR then disappear from the AUR
during the spring cleanup if no one wants to take over these packages
anymore. That's my observation, one of the "officials" will surely be
able to provide more details.
