in a mobile application you can access almost any user data, even list of installed apps etc...
I do understand your point of not allowing auto-loading and I think it is reasonable. I am only asking that question out of curiosity as I never thought JS would allow that.
It would be really great to find a way to sandbox the plugins as asking user for confirmation is only a way to push to responsibility to the user but does not solve this problem otherwise. Have you already thought about or explore some solutions ?
I need to think more about it but would running the plugin in an iframe be a solution ? It could use messages to communicate with windy and then only have whatever public subset of the API exposed.