I am strictly against imposing any time constraints on this.
I am speaking for myself only right now: I don’t need peer-pressure to add more work to my plate. Personally, this would make me pull my plugins from the store, even if we made this an opt-in workflow. I have enough to do with work, PhD and other personal projects to keep me plenty busy. I developed the plugins because I had a problem that I wanted to be solved, and decided to offer them to the community because they could help others. I’ve taken issues and PRs whenever I’ve been able to, but this has added a not insignificant amount of work that does not benefit me, but helps others. And I do it gladly, whenever I can spare some time and even enjoy it!
Once you turn that into an obligation to respond within X time, or else… it becomes a job. It’s a job that doesn’t pay me. Sponsorships (if I could legally accept them) would not be able to cover my hourly rate. And, when given the choice between an additional job and what I consider a hobby, I would simply unlist my plugins, stop accepting PRs and requests, and maintain them for myself, so I can spend my time in another hobby of mine. I am a single data point, maybe other devs won’t mind.
Putting the burden on the developers only would give users, especially non-technical ones, a false sense of security. If security is an issue, in my opinion, either (a) users should not use plugins or (b) should have a threat model that allows them to evaluate their risks and take appropriate measures, whatever those may be. Would this feature help? Maybe, but IMO it would be insufficient and potentially dangerous for users that don’t understand what the “tag” means or implies. See Security of the plugins for a more thorough discussion.
For many developers, plugins are their first programming project ever. Many have learned to program just to tackle something they wanted to do differently. The community really prides itself with supporting people who are eager to learn. In that regard, I’d consider the plugin store a hobby plugin store. People have shared something they made, and no one has forced anyone to use it. Imposing this feature with time constraints, even by making it “optional” and expecting peer-pressure to take care of it, would discourage many/most or at least some developers and the community would suffer for it. If security and timely responses are a requirement, in my opinion, people should consider hiring a professional developer to build and/or maintain the plugin they need, and who can respond within their expected/required timeframe (whatever that may cost).