On a side note, with the release of AUR 4.0.0, we are no longer going to use source tarballs. Every source package will have its own Git repository and you can use signed tags or signed commits.
Actually that is more than a side note, that answers my main concern. Glad to hear that it would be possible to ensure end-to-end verification in a future AUR version.
Just curious, do you have an idea of the planning of 4.0.0 release? (Very roughly: 6 months, 1 year, more?)
So I think it is kind of pointless to discuss signed source tarballs now...