fine-grained sudoers configuration (allowed commandline arguments)
For your case try something like this:
Cmnd_Alias PACMAN = /usr/bin/pacman -S -u, ! /usr/bin/pacman -S -u some_package
user ALL=(root) NOPASSWD: PACMAN
You can use shell glob patterns like [a-z],[0-9],* etc. in your sudoers file to exclude packages that match a certain pattern.
Write a script that does what you want and give sudo access to it.
Also make sure that whatever environment this is run in does not have access to the networking at all, or they can just use their own dns to spoof the mirror and then run arbitrary code as root when it gets installed by pacman.