> But if it can't talk to the internet, I kind of don't see the issue.

No internet access doesn't save you.

With file system access it can delete a file.

Without sudo access it can silently add something to your user's crontab so a few days from now it runs a custom shell script that does anything with internet access. If you're not checking into this sort of thing regularly, you wouldn't know.

It can add something to your user's shell's rc so when you open a new terminal session, a bad side effect happens.

Malware scanning won't protect from these sort of things and every time a new version is available, it's another opportunity for something bad to happen.

To be fair this isn't a problem unique to Obsidian. Code editor plugins and most programming language package managers have the same problem.