I have to agree with this, it would be very hard to make a permission system that would be able to catch all. If the sponge core team ever plans on making a plugin repo like bukkit dev, then the review process alone should be enough for making sure malicious plugins don’t go through.
And like Pixel said, permissions don’t achieve much except make paranoid server administrators.