From what you say it has more to do with the reliability of the plugin than the place where it is located. That makes the warning when changing the path a bit misleading. Regardless of whether it is located in the default documents folder or wherever, if the plugin author is malicious you are equally screwed.
Leaving OneDrive aside, which is potentially more dangerous (I suppose) because it is linked to a services account, can you confirm that changing the path to another non-cloud path does not put me in more danger than in its default location (C:/Documents)? And would you consider reviewing the documentation to make it clearer?