XojoScript plugins can be no more nefarious than what you allow in your context
If you have a context in your app that allows people to read and write arbitrary files then certainly someone could write a xojo script that maybe did bad by doing that (but usually you can’t get permissions to overwrite anything important)