I guess the discussion is mainly on the 3rd-party plug-ins. And I think for the core plug-ins, there is no reason to put more attentions to the security aspect. Because, to be honest, even using Obsidian is at your own risk.
I think @den provides a good direction which needs to be discussed and addressed. But currently, there is no need to provide a quick conclusion with so little information available.
I think Obsidian may provide a clean version, which is decoupled with all 3rd-party plug-ins. Obsidian developers may need to do what ever they need to keep their reputation and make sure the plug-ins released with Obsidian are safe, may be by checking each line of the code.
And for the 3rd party plugins, I think requiring that all the 3rd party plugin to be open source software may be a possible way. The peer-review may be the only thing that every people can satisfy about. And as the last resort, if the plug-in is a open-source, you can always read the code by your own to make sure it is secure FOR YOU. Perhaps, a switch that can stop all the 3rd-party plugins it is the only thing that the Obsidian can provided to the end user.
And I think the paid service or solution mentioned by @Dor is another possible way. For people who has a strong concern about the security but unable to fulfill his requirement by himself, he has to pay something: his own efforts or something else, such as trust or money.
And for @Licat, I think what we want to do here is to making the discussion constructive. And for a valid concern or proposal, if it is not the proper time to address it, we can probably recorded it first and postpone the proposal until a specific time. The time may be after a release of a major function.