I think a notice on the front page of the AUR would make sense here. IMHO, a blurb on the Arch homepage with a link to a notice on the AUR page would also help.
If you don't want to list all known effected packages, at least recommend the official position that anyone using a AUR package should be reading every file of every package they use.
If you don't want to list all known effected packages, at least recommend the official position that anyone using a AUR package should be reading every file of every package they use.