I like the idea of a hybrid system, something like #3. Consider maybe something like:
- Unreviewed: the plugin is not considered trusted and should only be used if the downloader agrees to the risk.
- Community-reviewed: After (x) people have reviewed the code, it can be flagged as community-reviewed. This would have to be looked at carefully to prevent abuse by spinning up sockpuppet accounts- maybe by account age or a rep system.
- Fully reviewed: While the project can never assert complete safety, a fully-reviewed plugin has been reviewed by staff who agree that it is likely to be safe.
Another option might be some kind of trust system built into the APIs?