This CVE is worth mentioning too. "Local attacker" here actually means anyone with access to /tmp (like a user over SSH for instance). There was also this fiasco where they were planning to push a proprietary office suite onto new users but changed their minds after backlash.

Expired certs and bugs/vulnerabilities aren't unheard of and aren't reason enough to avoid a project on their own. However I don't think Manjaro has a good track record or a good model of rolling out updates (and doesn't appear to have their users best interests in mind), and I don't think the service it provides is worth any risk at all since I don't think it has value. Newbies can use user friendly distros, others can use other distros, like Arch in this instance. I'm not aware of any niche that Manjaro fills that other distros don't.

(Yeah the treasurer drama probably shouldn't have been brought up here. It might be relevant for prospective/current donors, but I'm not in that demographic so I haven't bothered to form a strong opinion.)