I think initially there should always be a human (preferably a moderator), like @AtomSponge already mentioned it, which reviews the first 1 or 2 versions of the plugins. After that the community may be another instance in reaching a good level of trust. The people from the community could review the code of the next versions and finally the last instance, which should avoid mistakes, the automated scanner (like it has been mentioned in the plugin hosting).