If you want to use a niche, academic definition of "usable", that's fine but you better be ready to explain yourself.

Because in general, "usable" means "people use it". Which they do for Obsidian without community plugins without issues.

As one of those people that uses Obsidian without plugins, what plugins do you consider essential?

But I use it every day without plugins.

Seriously though, I agree with your sentiment that community plugin security can and needs to be improved, but how does someone saying they use it every day "disregard software usability as a formal discipline, along with decades of UX research and standards"

The attack here requires not just enabling community plugins, but also syncing the attacker's vault to your computer, and also separately enabling the synchronization of the attacker's plugins with yours.

Yeah, but these attacks are possible without any of that complexity.

I think that's especially important to point out because it reminded me of a blog post by Obsidian that also was discussed here[1], where they talked about reducing supply chain risk by not relying on dependencies, but people quickly pointed out that this is only possible because users depend so heavily on extensions. Just look at that top comment and here we are now.

This combination of software relying on third parties without security seems to be untenable. Personally I've gotten rid of just about as many extensions as I can anywhere and switched to batteries included software.

[1]https://news.ycombinator.com/item?id=45307242

The real problem is people believing "plugins" are not full software.

If you install a dozen mini-apps from random developers you never heard about, you can't complain if one is malware.

Krita also has a plugin system based on Python. Any "plugin" has the same level of access as running a python script.

Personally I blame operating systems for not providing a way to isolate how programs interact with user files.