If you're actually vetting PKGBUILD, I don't think there is a single one I've installed that doesn't download some blob. There is no way of knowing if it's OK, unless you also sift through that. I don't think anyone does. I certainly don't.
Most of mine download source and compile it or plain scripts like python/bash and move them some place.
If it is a -bin, I check the url and checksum to be sure that it comes from the official source and obviously I do not install software from companies that I do not trust. (and yes, every update. I have a dedicated timeslot in my calendar for that)
I don't know what type of blob you mean which would require any additional treatment like.