Would it be possible to define per plugin if it is sandboxed with restricted access or not?
Some kind of a permission system like in Android would be nice. A plugin that needs access to the passphrase has to request for that permission, (maybe with a password?).
If a plugin does not ask for that permission, there will be no way that it could get access to the passphrase.
This would allow a lot of simple plugins with very low permission. Those plugins don't need some fancy verification or hash or whatever, everybody could write and publish them, and the user can be sure, that even if there is some hidden code/functionality in it, there is no way that it could gain access to the account. Only sophisticated plugins that need access to the passphrase must be managed somehow with some verification, so the user can be sure that the plugin will do what it is supposed to do.