I understand that guaranteeing the security of any plugin is not feasible, but I think useful progress can still be made to protect users against the inevitable nasty plugin.
Let’s say that yesterday, someone looked through the source for plugin-x and found it was sending sensitive files to a remote server. Now today, I’m looking at the Obsidian plugins page, considering downloading plugin-x. The fact that it sends sensitive files to a remote server is rather useful information to me! (Or at least the fact that this has been alleged that it is up to no good).
So perhaps a mechanism to ‘report’ a plugin is in order? The reporting form could even ask the reporting user to link to the offending line of code in the GitHub repo and explain what it’s doing, and why that’s bad.
It would take up a bit of the Obsidian devs’ time, but seems like a low-cost option to me.
And even just the existence of this mechanism would act as a deterrent to plugin developers, knowing they’ll get a ban from Obsidian, and maybe even kicked off of GitHub too (hosting malicious service is against the terms of service).
Apologies if the suggestion has already been made above, I’ve only read the summary of the thread.