Yep, using the Recommended badged plugins are another thing I remember doing.
probably overly cautious, but it works for me
One does what one prefers to do
For example, I use an outbound firewall around Joplin and whitelist a single IPv4 address used for sync. Some might also find this overly cautious.
I’m grateful that Joplin’s outbound connections are easier to manage compared to, say, Standard Notes. On Standard Notes, IIRC functional sync required whitelisting several IPs. I think Standard Notes’ plugin ecosystem is more limited, although I can’t speak to their specific plugin security model.