I think a notice on the front page of the AUR would make sense here. IMHO, a blurb on the Arch homepage with a link to a notice on the AUR page would also help.

If you don't want to list all known effected packages, at least recommend the official position that anyone using a AUR package should be reading every file of every package they use.