The more I think about it, the more it seems to me that in this day and age with all the modern threats having a text editor that is capable to not only connect to the Internet, but also install some code packages from repositories (and probably do dependency resolving) is a recipe to catastrophe. Sooner or later.
It's probably one thing when you use a curated list of half a dozen addons that you can even personally peruse (or even contribute to). It's a whole other thing when you use some huge "distro" with probably hundreds of packages that also receive constant updates you cannot possibly control.
It's mostly about #Emacs, of course, but #vim is fully capable of it too. I won't even mention the likes of #VSCode.
We had a fair share of supply chain attacks in the recent years (npm, pip, even xz in some way). No reason to think no one's gonna use this channel of attack.
Maybe it's just my fibs. But there is some uneasy feeling about the fact that you edit, perhaps, extremely private, personal or sensitive texts while your editor runs some background code doing who knows what. It's one thing to trust people who wrote vim or Emacs and a whole other thing to trust a hundred other unknown parties at the same time.