Comment by eviks

The first trade-off is not precisely stated, you can do "both" with user choice. In this case it would be: no plugin has "all filesystem access" unless user explicitly approves it, and that approval steers the user to a very narrow "plugin folder only" path by the way UI is done. Think this is "secure by default"? You don't undermine any ability here because most plugins don't need any filesystem access, so you get extra security "for free" for most of the users and with only some friction (but still not removing the ability altogether) for the rest.