For command line apps, I use paru for AUR. For desktop apps, if they’re available as a flatpak, I prefer that for the increased security provided by the sandbox. Otherwise I use Arch packages or AUR. I even uninstall GNOME apps (calendar, weather) from pacman, and install their flatpaks.

If you don’t need on-access scanning - and just want manual scanning of individual files that you’ve downloaded before you execute them, you can use Lenspect (available on flathub) which submits files to virustotal.com https://flathub.org/en/apps/io.github.vmkspv.lenspect