I don’t think we have enough people to review each new release.
What I think is that you should trust the developer to install a plugin, but as you said if a plugin is hosted on a bad hosting it can be hacked and the plugin can be overwritten with malicious code.