I wonder how much of this is about not wanting to have to deal with and be ultimately responsible for the security implications of a plugin system built on top of npm packages and tooling ... It's a great editor but seriously vulnerable.