However, if my intentions were malicious, I wouldn’t say so in the description. There are many mobile apps, browser extensions etc., which claim to do something different (and also do that), but do other, not so nice stuff in the background. As you’ve stated:
If there hadn’t been a permission system, no one would have known what this app does access. Therefore, I agree that a permission system would be necessary (may that be the way apps do it or the way a browser does it doesn’t matter too much to me – needed privileges can be explained in the description and if they aren’t, that’s the developer’s fault when people don’t install the plugin).
Especially as long as there isn’t a full-fledged review system for plugins in place (in which plugins with other intentions than what they claim can get “called out”), broader permissions without a (very strict) permission system are simply too much of a security risk – at least to me.
Especially in the field of design, where NDAs are a common thing and trust is a really big “issue” (or at least can be), it is vital for plugins to not have the ability to do “everything”. Also, things like saving the XD file can already be problematic (just imagine a plugin first deleting everything, then save the file and somehow crash XD). I’m not accusing anyone here to do something malicious with plugins, but where there is an opportunity, there will always be those who’ll use it. Therefore, with all these things that could get abused by plugins, I strongly suggest implementing an infrastructure protecting users before implementing such things – users’ trust is extremely hard to get back once harmed (which would critically damage the image of plugins for and even of XD itself). It’s better to be safe (and wait for a good implementation of things like this) than being sorry…