Obsidian plugin security: "cannot reliably restrict plugins" — official docs

Official: "Due to technical limitations, Obsidian cannot reliably restrict plugins to specific permissions or access levels." Lead developer confirmed on forum: "there is ABSOLUTELY NO SECURE WAY to run plugins without severely crippling the plugin API." Plugins can access NodeJS child_process. Standard Notes comparison: plugins run as first-party code with full filesystem access.