Why do they consider it a "vulnerability" that you can change configuration of software running on your own computer? I've heard a lot of good things about Obsidian before, but hearing that basically burns it all up and means I'm going to strongly recommend nobody buy anything from them anymore.
Obsidian distributes their software for free, and makes money on a core plugin called Obsidian Sync (note that it is not open source). Obsidian Sync relies on their cloud to offer e2ee file sync.
Obsidian also has a rich plugin ecosystem with lots of open source plugins that are available and serve the same purpose (and you can use gdrive, dropbox, etc too).
It makes sense to me that they released a proprietary privacy and security focused plugin (that is their core business) and they don't want other plugins to be able to arbitrarily change the server that their plugin is pointed at.
Suppose they have a government customer who is using Obsidian Sync and the sync URL can be changed easily via configuration changes -- now the customer believes they are using Obsidian Sync, but actually their data is going somewhere else.
I don't think you would be surprised to find that e.g. a dropbox daemon has protections to make sure it is pointing at dropbox.com. Why would you expect Obsidian to be different?
(disclaimer: I work on a different plugin that adds file sync and collaboration features to Obsidian)
My opinion is that they should have a rule such that plugins from the official list can't modify the sync url to prevent abuse and phishing but the user should still be able to do whatever they want. The process for manually adding a plugin is already enough friction for users to be aware what they're doing is not "safe"
