I think persistent file references without a security layer are undesirable: When a reference can “easily” get stored, it can also get manipulated by a plugin. This would allow for bad things again (if a developer abuses it) and therefore create a security risk (which we’ve already debated about in Run External Application from XD Plugin 
).
Instead, I think XD plugins could use a permission system (similar to how mobile apps handle permissions). It could then include all those “tricky” things like access to the whole file system (without explicit permission by a user), running external applications and so on (later, when technically feasible, leaving the editing context, etc.). With it, things like hard-coded paths wouldn’t be a problem anymore since the user got warned before that the plugin wants to access stuff that might be harmful (if the developer cannot be trusted). Therefore, it would be up to the user to decide him- or herself what the plugin is allowed to do (resolving the issue of plugins being able to do stuff that could be potentially harmful silently).
All in all, hard-coded (and therefore maybe “saveable” paths) aren’t something I’m against (quite the opposite, in fact). I want to propose creating a security layer like a permission system for it beforehand to not make it the fault of plugins in general (and therefore harmful for all developers) if there should be a black sheep distributing malware (undetectable by Adobe’s review) at some point in time.