If there are no security features, then I would think that someone could write a plugin that waited a couple of months to infect your computer, and you would probably never know where the infection came from. Or, whenever Paint.NET was running, it could look for interesting files and send them off to Russia. I'm not sure how that would be detected, and if the plugin were good, it would get good reviews, become popular, and maybe even get pinned. So, the situation is a little worrisome. (It didn't stop me from installing two plugins, but it does make me nervous.)
--Paul