Thanks a lot! 
Just to sum it up:
- Encryption keys are stored somewhere under %APPDATA%\obsidian\IndexedDB, not in the vault itself.
- If I want to keep the keys out of that folder I need to run Obsidian in a sandbox like PortableApps or EnigmaProtector as suggested in the posts linked by @WhiteNoise in this thread: Obsidian Run in Portable Mode?
You didn’t comment on this, but I assume that community plugins could theoretically access any folder on the entire client device, and with enough knowledge of the index, could obtain the encryption key, which could compromise the vault even after the malicious plugin has been uninstalled. Therefore, it is important to take extra care to only use plugins from trusted sources.