This thread is way too long to read all three years’ worth to make sure nobody has shared my thoughts.
I totally understand that the Obsidian developers cannot be held responsible for making decisions about what is secure and what isn’t on behalf of the user. However, that does not mean community plugins have to be the Wild West either.
Most corporations have a process to review software for approval to install it. Corporate users can (have to) trust that process to determine what is safe and what is not, for their environments. For example, in my company, we have been approved to use Obsidian and the Core Plugins, as long as we sign an attestation that we will not enable community plugins.
A huge step in the right direction for those of us who really just wish we could use come of the most popular plugins, like Templater, Tasks, and DataView, would be for Obsidian to build into the core product the ability to whitelist plugins.
Then, our corporate IS departments could assess individual plugins as well as the core product, and those approved plugins could go onto the whitelist. I’ve noticed at least one thread elsewhere on this forum, around being able to pin versions of plugins. I would imagine that the whitelist could also allow specific versions to be approved, so we couldn’t upgrade a plugin without a new assessment, too.
If actually enforcing a whitelist is too difficult, then perhaps having a built-in notification system would be the next best compromise. If my IS department were notified any time I installed a plugin (or, maybe a plugin not on the whitelist), then they would trust us with enabling the community plugins feature.
Anyway, I think there are partial solutions that could be figured out that make an effort to increase the number of us in more security-conscious environments that can adopt Obsidian and/or some of the popular plugins.