Are you running on btrfs? If not, why not? If so, install snapper and grub-snap or refind-btrfs, or whatever, and go wild.
Sounds like you might also be missing backups, but snapper you can have run every 10 minutes at almost no overhead. Then it won’t matter if you delete something; you can always grab it out of a snapshot.
I had the similar comment about PKGBUILD/templates. The package definition is far less likely to do something malicious than the software you’re installing; it’s indeed a vector - a hypothetical AUR “git-plus” package could install git and a virus at the same time - but frankly I’m more concerned about upstream.