I was thinking about this for a few years now comparing various possible solutions handling addons’ permissions to access resources, systems and APIs in a way that is transparent to the end user, the problem lies in finding a balance between allowing addons to access many things and the user knowing that this addon is actually doing what is expected and advertised and nothing dodgy is happening in the background.
There are many malicious activities that addons can have in form of backdoors (bitcoin miners, actual backdoors for taking remote control, viruses stealing, locking or removing your files, silently accessing your microphone and webcam, etc., etc.), but most harmful of them require access to critical systems (web servers, file system, hardware). The user would probably be surprised to find out that his HUD addon sends messages to a random web server every now and then or that his props pack requires access to his microphone for some reason.
To eliminate this surprise, the user should be notified about the addon willing to access a particular system or resource and be prompted to allow or deny this action or access.
A small example of a similar user-required confirmation of an addon doing something can be found in Garry’s mod after an update pushed a few years ago, when an addon tries to open a web page, the user is asked if he wants to see it. I think this should happen for many more things other than presenting web pages to the player.
In a nutshell, platforms similar to S&Box in their structure (web browsers, mobile operating systems) which allow executing external applications/modules/addons with unknown code have this system for quite a while now, it’s a standard.
In my opinion, S&Box should look at those systems and design something similar, it will protect many players from malware doing crazy things without their knowledge. What do you think?
P. S. Sorry for the great mspaint concept art.