Every plugin, no exceptions, are checked for security issues. This doesn't mean that there isn't going to be security flaws caused by libraries utilized, but you do know that any random plugin is not going to go ahead and outright delete your media etc.
Every single plugin available via Apps gets installed on my production server, with no exceptions, and a code audit is done on what is actually present instead of what may be showing on GitHub. Every single update to every plugin I am notified about (within 2 hours), and with plugins which are not maintained by a contractor of Limetech is then code audited again. Every update. And with only a few exceptions, this happens on an actual production server not on a test server.
If something ever fails the checks, then everything else gets dropped (including the 9-5 job) to handle the issue. Whether that means simply getting the application out of apps temporarily and asking the maintainer / author "WTF? You can't do this", or notifying everyone with it installed via FCP about any issue, or preventing the Auto Update plugin from installing any update to the plugin, or even taken more drastic measures, provisions are in place to protect the user..
Closed source applications, whether they are plugins or containers, may be frowned upon, but are not necessarily disallowed. With plugins, the standard for open-source vs closed-source is more strict, but it is not 100% a requirement that only open source be present.