Installing packages is done as root; no matter what you set up (other than rejecting packages before installation), a malicious package can disable or circumvent the firewall. Same as on any UNIX system; if you don't trust the software, don't do a system-wide install.

After installing, you can check sudoers, as it's reasonably likely that malware would put itself in there to permit any malicious activities that require root. All depends on the payload, of course. A keylogger can get by quite fine by itself, as long as some usable process (ssh, mail, etc.) is able to access the outside world.

Things you can do to check software you're considering installing:
Check the file-list.
Check the install scripts.
That should make the scope of things it can do clear; but even with no SUID or sudoers entries, you can do a lot.