I wouldn’t necessarily say it’s bad, but I don’t use it because:

• The project’s had a history of failing at really basic administrative tasks like keeping their ssl certificate up to date
• I’m unconvinced they actually do the testing that justifies the delays and not just using arch. This is because security patches sometimes also get delayed and issues have gotten past the delay
• They’ve accidentally DDoSed the aur multiple times by shipping broken versions of pamac when fixed versions were available
• I’ve seen complaints about leadership and how they handle finances, though I haven’t really looked into this