This has the potential to invalidate at least the spirit of some of @niemeyer’s points above, but reading the proposal in GitHub - basak/certbot-snap-build at snap-plugins/doc requires an admin to run sudo snap connect certbot:plugin ..., which must be done by an admin (ie, honors point ‘3’) and the proposal mentions ‘Only perform this step if you trust the plugin author to have “root” on your system.’, which is great, but it would be good if this was somehow surfaced to the admin who might be cutting and pasting commands and not knowing the ramifications of the snap connect command. I’m not sure what a good UX would be for that, but can say that a connection hook may be helpful and/or a wrapper that notices the registered plugin and says something like “INFO: 3rd party plugin detected. Please only use if you trust the author of this plugin with root on your system” (or similar, I don’t want to dictate how this is done).
IMO, this is ok so long as the risk of the snap connect is bubbled up to the user in some manner. @pedronis please comment if you feel my assessment and recommendation need refinement.