Comment by PurpleRamen
2 days ago
At the core, there is the tradeoff between ability and security. You can give the users power and enable them doing fancy shit, or you can make it secure, stripping any meaningful ability. Usually, people prefer ability over security.
The other problem is that security is hard, and just giving generic access and adding some basic guards is simple.
The first trade-off is not precisely stated, you can do "both" with user choice. In this case it would be: no plugin has "all filesystem access" unless user explicitly approves it, and that approval steers the user to a very narrow "plugin folder only" path by the way UI is done. Think this is "secure by default"? You don't undermine any ability here because most plugins don't need any filesystem access, so you get extra security "for free" for most of the users and with only some friction (but still not removing the ability altogether) for the rest.