It's only scary if you think the AUR is inherently trustworthy. It's not, and every piece of official documentation and various wikis make it abundantly clear it's not. (If you see somewhere that doesn't point it out or edit it so it does.)
The AUR is barely better than pasting J Random Hacker's 'curl http://foo | sudo bash' code you see somewhere to install something. And that's only because at least the AUR makes it easier to inspect what's about to run and what changed.
I'm confused. How is this any different getting simply hosting a picture yourself and tracking all the IP addresses via http fetch logs? Why is Lemmy itself being singled out here? Why do you need some CGI script?