In 2026, applications, third or even first party, don't need to have full-disk access, and are not given either. They see a jailroot environment. I give full disk access to the terminal app, and a handful of others. 90% of them, nope.
At least that's the case in macOS, I'm pretty sure Windows can do that too. Linux of course has had such capability since forever, but I guess most distros you need to manually take care of it.
Would love to enable this for all apps, and add exceptions for the ones that need more access.
I installed Lulu and BlockBlock recently, and want to do more to harden my Mac.
When an app tries to access something outside of its sandbox, you get a notification asking to approve or deny. Full Disk Access I think needs to be explicitly given on System Settings (Privacy & Security -> Full Disk Access).
I have no idea how to do that in Windows though.
If you mean for the security of the app without plugins you can currently inspect the app's code in app.js and review third-party audits:
I've been using open source alternatives for different purposes for some time.
Obsidian would've been a great choice as open source note taking software. As it is now, it's just one sale, one exploit or one corporate rug pull away from being turned into something else.
Third party audits are meaningless. They were done for one specific version of the code at one point in time. There's literally nothing preventing a malicious version of the software from being shipped. The same goes for plausible deniability on security vulnerabilities in the context of plugins (even with these alleged prompts that the user has to skip on purpose).
They are not making excuses, they stated clearly why open sourcing it is tangential to this problem at best, and they're not the only user to call out the hijacking of the thread. They have been quite clear about why they keep it closed source, so I don't know why you're making it sound like they are lying to their users.
Your rant about audits has little to do with the article too. Telling everyone we're going to get rug pulled is exactly the kind of performative FUD that is meant to get a reaction more than anything.
Speaking for myself, I'm going to keep using it, because nothing has come close to the convenience and performance. Would love an open source alternative to prove me wrong, but I haven't seen it.
That's not good enough for open source zealots. That's when you end up being the headliner in an endless flood of blog posts and detailing comments telling everyone you're a 'proprietary evil man'. It's open source or nothing. And how dare you make money.
Is this like a popup? which most people actively accept without blinking
I think plugin/extensions should be a bit harder to run by default. I get the user friction from extra hurdles before using their plugins etc., but I don't think there is an actually safe way to execute arbitrary code, unaudited, without sandboxing, or other restrictions.
There's no protections beyond that, community plugins can do whatever they want. Thankfully, the vast majority of them are open-source.
IMO that's an issue in and of itself, but it doesn't read that way in the (very unclear) original article.
I use Obsidian because it does not treat me like a child. They can add more nags and banners for normies, but the capabilities should remain.
I think by that logic dangerously-skip-permissions and openclaw should've never been a thing. I agree that people use them too liberally, but I think at some point you have to find a balance between systemic safety risks and individual freedom.
One can reduce every tool to a toy and justify it with some hand-wavy security slop, but removing capabilities destroys use cases.
The ability to control your tools is good. You should be able to run anything on your devices. Therefore, those who propose the toyification of tools should carry the burden of justifying the change.
The same infantilization of users currently happens with Signal, where high-level decision makers are asked by strangers to share their deepest secrets. Since these strangers introduce themselves very nicely, users start blurting out their secrets. ... now everyone is pretending this is a Signal problem. It is not. The world is not a kindergarten and people have agency.
A good compromise is to set a safe mode as the default and include an option that lets users confirm they know what they are doing. Obsidian already does this. Given that, I do not understand why anyone would demand to make the entire tool worse.
I wonder: What level of user effort would make you comfortable with users exiting safe modes? Would you want users to be able to run software with full permissions at all?
Plugins like Tasks do offer a Query functionality that allows me to list e.g. weekly tasks on my daily template, replicating most of Noteplan's workflow, except Noteplan relies on being able to easily link those tasks into daily template by drag and dropping them, which internally assigns a unique but hidden by default ID in ^129abz notation (https://help.noteplan.co/article/138-synced-blocks). The latter is already supported by Obsidian, it's just not as "clean" and, AFAIK, impossible to get done when drag and dropping.