(I am not a security expert.) I think your system sounds pretty solid, but I would not run the parent vault while any child vault is mounted. Plugins can pretty much do whatever, so it should be possible for them to access the mounted vault one way or another. This comment gives details about that, and the thread in general is essential reading about Obsidian security (see especially comments from Obsidian developer Licat and associate WhiteNoise): Security of the plugins - #43 by davecan
1 Like