While working with a plugin designed to sync vaults to version control and potentially share them publicly, I noticed some plugins store sensitive data, like API keys, in the .obsidian folder, either as standalone files or inside the plugin’s data.json. It’s possible (if generally unlikely) for users to unwittingly share this information.
If there were a standard location for plugin developers to store secrets and sensitive information, e.g., a .secrets folder, that would allow users (and plugins) to safely share non-sensitive information while being more guarded with sensitive data.
Plugins could set a flag in their manifest declaring that they use the .secrets folder, and a standard notice could be displayed. Other plugins could use the manifest list (along with a standard location) to perform automated audits, encrypt/decrypt secrets files on the fly, etc.