You can always keep trying to protect people from themselves, but at some point you need to stop before you build a padded room without a door. You should not automatically deactivate stuff on someone else’s site for any reason without consent.
You could offer a protection option, but that would have to be hard opt-in only. Doing it any other way will make them blame you when something breaks, whereas otherwise they can only blame themselves (or the plugin maker who caused the vulnerability).