The problem of trusting plugins in decentralized environment while maintaining the anonymity of the developers is a difficult one.
I suggest the following best practices to make plugins more trustworthy:
For developers, use distribution system like the one we already use for the NXT itself and SuperNet:
1. Open source code.
2. Reproducible packaging procedure.
3. Package downloaded directly from the same source control system.
4. Hash of the package posted on the nxtforum.
5. Additional PGP or some form of digital signature which confirms the identity of the developer.
For users, I suggest the following best practices:
1. Do not install plugins which does not rely on the distribution system described above.
2. Use only plugins installed by yourself, avoid using plugins when connecting to a public node.
3. Do not use plugins when connecting to an account which has significant amount of NXT.
5. Do not follow links from plugin pages to external web sites.
In general I don't think we should introduce a new feature and disable it by default.