Advice to users who may share the same concern:
We totally understand the concern, and trust me we totally want to address this too.
As with computer security, it’s all about managing your threat model. If you’re someone like Edward Snowden, then there’s no way you can even trust Obsidian the app itself. Top secret government agencies probably shouldn’t run arbitrary executables they download from the internet, or for that matter, even computer hardware they didn’t build themselves!
As a regular user though, it’s probably ok to buy hardware from Amazon, and download apps from the internet. You should treat downloading and running plugins from Obsidian the same as if you’re downloading it from the internet. Check if it’s from a reputable developer, see what other users has to say about it, and audit the source code yourself if you must.
If security is a top concern for you, then you should probably consider writing plugins yourself. We’ll make sure that it’s real easy to do so once the API is out.