Many times the way Chocolatey works is to use PowerShell to download the package from the official distribution point, this way no distribution rights are violated.
How do I know if I can trust the community feed (the packages on this site?) Even with moderation in place, the answer is that you can't fully trust the packages here. They are created by community members and although moderated to determine that they are installing the software the package is based on and that the package itself doesn't do anything malicious, it makes no guarantees about the underlying software that is installed. In some cases package maintainers do not implement checksums on the downloads, so there is also not a guarantee that what the original maintainers/moderators expected for you to get is what you get. We will make checksums a requirement in the future to combat this, but for now you should be somewhat careful about placing full trust in something you cannot control.
If you require trust (e.g. most organizations require this), you should have an internal feed with vetted packages using internal resources. You should always decide whether you trust the maintainer(s) of the package, and even then you may want to inspect the package prior to installing. You can inspect packages easily by clicking download on the package page (and then treating the nupkg file as a zip archive).
Après, pour le coup, c'est exactement comme quand on utilise le AUR sur ArchLinux.