It is easy to call any API methods within PDI with the scripting steps and it is also easy to add new plugins. With both methods existing passwords can be "un-obfuscated" or decrypted even with more advanced password encryptions.
We may need a mechanism to set a security level to avoid calling APIs or disable the use of some scripting steps.
Workaround: Have a white list of steps. That is actually already possible with defining another kettle-steps.xml or kettle-job-entries.xml.
Another use case could be reading and writing from/to the server based file-system what should be disabled by an option as well.
Further use cases can be found in the linked cases.