Hi @paul_at_reco,
You can find a lengthy discussion surrounding the topic here: Run External Application from XD Plugin - #13 by PaoloBiagini.
Please note that I wasn’t with Adobe then (just another plugin developer) => my points in that post don’t represent any “official position” (for that, you’ll need to have a look at Kerri’s comment there).
Long story short (/-ish 
):
There are two aspects to this. First, on a technical side, CEP had a full NodeJS integration, meaning it would have almost been impossible to stop this from happening. Thanks to UXP, we now have an opportunity to do it “the right way”, which isn’t (in my opinion) fully disallowing running external apps, but doing so after users gave explicit permission to do so.
Why do we want that? First, UXP plugins are easier to install than anything before (with an “app store like” experience using the Creative Cloud Desktop App). Users don’t necessarily expect a plugin to have deep system permissions and often install a few plugins to try them (which is fantastic as it also empowers small plugins built, e.g., by designers, to automate some tedious tasks). Suppose a malicious plugin executes something that it shouldn’t do (even without admin permissions, there’s a lot that shouldn’t get done, e.g., deleting stuff from the user folder). In that case, this could destroy trust and be bad for all plugin developers.
To avoid that, we want to have something comparable to mobile apps, where you get a popup (the first time) about “XY wants to access your file system” / “XY wants to run an external app” / something like that and then you can run an external application (since, of course, as you say, there’s a lot of benefit of plugins having the possibility to launch/drive external apps). This way, users get the explicit notification that the plugin wants to do something with deeper permissions and can make a conscious choice about that (users might think twice about giving a shady-looking plugin such access, while they wouldn’t expect a plugin to have that level of access “by itself”).
So, overall, it’s a combination of the ease of installation (requiring user trust) and just having an opportunity to make it right that’s the main factor.
While I understand that this isn’t ideal for you (as it, as of right now, still prevents you from achieving your result), I hope it still makes sense why we want to do this with a permissions system.
Thanks,
Pablo
PS: Here’s another post by @kerrishotts that sums it up better than I can 
: System Call Access for UXP - #12 by kerrishotts