Security is a give and take, and with bleeding edge you have to balance it more. Yes bleeding edge can mean bleeding hearts when a security issue is discovered in new code. But just as often, if not more frequently, it also means you get security patches before almost anyone else. And the AUR is insecure, as it’s a user repository. But 99% of the time if you read the PKGBUILD (it’s really easy, you can usually skim it) and check the sources you’ll be fine. The AUR being insecure isn’t bad, it just means you need to put more effort into checking on stuff and you need to be responsible for your security. These aren’t bad habits to have in general, but it’s a bit of a learning curve coming from systems that expect to handle most of your security for you.

I think it’s important to keep in mind here that there is a very marked difference between vanilla Arch and its derivatives. A lot of derivatives will set up a lot of base system software with sensible defaults, whereas with vanilla Arch it’s often up to you to find out that you need that software, and then you also need to figure out a lot of configuration. Not having to do that saves you from a lot of issues.

we just need IRCv2 which should add chat history