Not everybody needs to check obviously. There’s a sweet spot of enough developers checking—in particular those who want to improve or fix the plugins.
Once the first rogue Obsidian plugin is discovered, it will be a huge story.
But this will take much longer than, say, Chrome extensions because the plugins’ source are on GitHub (with one or more closed-source paid extensions which I understand are under strict review by Obsidian core developers?)