How secure are Illustrator plugins?

agree with all the previous comments. You should excercise the same caution as you do using an exe from a random website. Plugins have the potential to be used for evil. But if you're refering to Mesh Tormentor, they've been around for a while and I have yet to see a complain about them.

Plugin or extension? Many people use the terms interchangeably but technically a plugin is a C++ SDK snippet that extends Illustrator's own functionality, and an extension is a script or HTML panel which has access to the scripting environment exposed by Illustrator.

If a CEP HTML extension, you can manually check the current security status assuming that it was created with NodeJS and you have NodeJS installed on your computer. You can travel to the extension's root path in your command line/terminal then use 

npm audit

And see a detailed list of current security problems, their implications and how to fix them, like this.

Plug-ins are fully as powerful as any other app, and can do as much damage, and steal as much. Being in Illustrator does not limit them or protect you in any way.  So you must make your own judgement about the suppliers and distributors.  You should be exactly as wary as if you found a useful app.

IF I were setting up an IT department, I'd CERTAINLY forbid running any free plug-ins and most commercial ones which are not industry standard. In many organizations this would already be a dismissable offence.

There are tools that can notify you when something on your system tries to phone home. And you can even stop it from doing so. As for everything else: antivirus software.

Without knowing what the 3rd party plugin is, I'd say in general that if you're concerned about security then you might want to avoid using the plugin and/or go with reputable providers. 

I did find this interesting blog post about how Adobe is tracking security vulnerabilities. For more info, you can contact them via Twitter @adobesecurity.