alt Hacker NewsIt does give full access but Obsidian does tell you that. Community plugins are not enabled by default, you have to enable them manually. Same happens with a shared vault: once you get it you still have to manually enable plugins. So far no one managed to sneak in a plugin completely unnoticed.
Replies
Groxx • yesterday at 11:31 PM
"Hey users: don't do insecure things. Here's a button to do cool insecure things!" is not a plugin security model.
➕ show 1 reply
That's horse hockey. Obsidian is not a usable system without community plugins.
Folks will reply "but I use it every day without plugins".
That position disregards software usability as a formal discipline, along with decades of UX research and standards.