I think the security risks are overblown.
Risks from lack of maintenance and data loss are higher. This is especially true for complex plugins with multiple functions. As always I’d advise backups.
The plugin code is inspected before first deployment and is available for inspection thereafter. As you say, most users aren’t actually capable of checking things out but there are probably enough who are to pick up the most nefarious concerns quickly enough, especially for popular plugins.
I think you are more likely to be caught by a scam or phishing than an Obsidian plugin.
Practically, I have a large number of vaults, including a number which exist only for testing. Any new plugin I might consider goes there first. I don’t install highly complex plugins (maintenance, complexity and data loss risks). I have an effective multiple backup regime, with versions.
Remember that this depends on a plugin.
And .txt files are still not treated as .md equivalent in Obsidian.
In Obsidian there are two options for link syntax.
markdown and [[wikilinks]]
Wikilinks are much easier to write and are becoming more common; markdown links will be recognised by all programs that work with markdown. Converting one to the other isn’t that hard, and converters are available. For me, the speed and efficiency of wikilinks trumps any issues of compatibility with programs that remain stuck on markdown linking.
I’m afraid I can’t help there. Not an Apple user (I dislike their security practices!!). But I’ve seen frequent references to both programs here, so there ought to be plenty of specific help if you need it.