I want to point out another view from this situation:
What if an outdated package is moved to AUR and does not have a new package with the replace=() variable? I personally had this several times and those packages are still kept on the system.
This gave me some broken dependencies but also old software was kept on my system. Beside the packages I manually installed from AUR this could be a real security risk.
Shouldn't we warn the user when a package from the official repositories move to AUR (or disappear completely)? Not every user checks his system for dropped packages every day, so a warning in pacman would be nice.
About the original suggestion for the AUR: I think its worth to have a pinned comment on the AUR page. The package maintainer should add it if an user gives him the hint. If he doesnt accept it a TU should check if the request is valid and pin the users comment. This way we can help all the users. Maintainers unwilling to fix security problems or ignoring/hiding them are not welcome to me.