This may happen even with `pkgctl build` if a makedepends= (transitively) pulled in the shared library into the build environment, but depends= doesn't.

There's warnings in place if a .so dependency is detected, but it's up to the maintainer to notice and act on it.

For safety/security concerns, Arch Linux has been one of the driving forces in the reproducible builds project, and for large parts of the operating system it's possible to independently verify that those binaries have in fact been built from source code. It's auditing story for official packages is stronger than that of NixOS (and on par with Debian):

https://reproducible.archlinux.org/

All of this is entirely unrelated to the AUR incident however.

Tools exist (e.g. pkgctl) to allow you to test building and installing the package on a clean image to catch these kinds of things, maintainers should really be using these before publishing.

It's only relatively recently that this has shifted from the norm. Debian operated this way for a long time and it was only in 2019 that they forbade it entirely.