It’s an open question, meaning, I’m genuinely curious about the practices of anyone: users, devs, and dev-users 
Why? Partly to discover related behaviours which I myself should be doing, or at least considering doing.
Also, partly, because I’ve found this type of open discussion useful, eye-opening, and (sometimes) entertaining in community-heavy projects like this.
To get things started, here’s a thing I do related to plugins.
Before installing the plugins I currently have installed, I had a quick skim through each one’s source code.
Since that first install, I have not updated the plugins at all 
I would find it too much effort to repeat the process with each update.
Since I don't have time to skim source codes, I do this ;
Yep, using the Recommended badged plugins are another thing I remember doing.
probably overly cautious, but it works for me
One does what one prefers to do 
For example, I use an outbound firewall around Joplin and whitelist a single IPv4 address used for sync. Some might also find this overly cautious.
I’m grateful that Joplin’s outbound connections are easier to manage compared to, say, Standard Notes. On Standard Notes, IIRC functional sync required whitelisting several IPs. I think Standard Notes’ plugin ecosystem is more limited, although I can’t speak to their specific plugin security model.