In terms of both security and reliability/stability, I’d choose Flatpaks from Flathub over the AUR.
The AUR can be convenient for experienced DIY motivated users–particularly in the context of Arch where the official repos are quite small/limited compared to other distros–but for average users or anyone who wants to just use an OS casually, it’s a rather insecure/non-ideal model, since the security of the model depends on users reading pkgbuild files and doing their own vetting and due diligence (which most users don’t do).
Outright maliciousness is just one risk to consider. You aren’t just trusting random people to not be malicious, you are also trusting them to be semi-competent and semi-reliable and not negligent or irresponsible, and trusting an AUR package doesn’t become outdated or abandoned or cause conflicts, etc.
Should I still download them from the AUR, or is it better to use Flatpak in such cases?
In my eyes, If you don’t mind consistently vetting software yourself the AUR is pretty cool, but if you aren’t vetting the software yourself, the AUR should be pretty far down your order of preference if not close to a method of last resort.
If there is an official flatpak available I’d definitely choose that. If there is an unofficial flatpak on flathub available, I’d still probably prefer that to the AUR since inclusion on flathub implies at least some basic initial vetting was done by flathub volunteers, and due to flatpak’s intrinsic sandboxing capabilities. Like the AUR, it’s also possible to vet flatpaks yourself to some degree (the flatpak equivalent of a pkgbuild is the flatpak manifest).
So, on Fedora KDE or Workstation, is it better to use a mix of native packages and Flatpaks? Or is it feasible to rely solely on Flatpaks?
It is not feasible to rely on solely flatpaks with a traditional fedora install (since the base system is made up of roughly ~2000 traditional packages. But it may be possible to rely only on flatpaks for the software you install/add post install. If you want to maximize your use of flatpaks I think Fedora Atomic distros are a sensible option, but I’d personally prefer official Fedora RPM packages to unofficial flatpaks in most cases.