neovim (vim) plugins can make web requests, so you could steal secrets from a .env file being edited by, for example, making a LSP plugin active for .env files? According to my limited knowledge of LSP and how neovim plugins work, it should be possible

Could also just phone home everything a user edits using the text editor I bet.

Can someone tell me, when someone has a terminal buffer, using a vim plugin, could you potentially steal their root password when a user runs a sudo command?

And following up, could you, using that password, allow SSH connections and open ports in other system config files? Disable firewall? And potentially execute other commands using `:!` ?

You have the entire Lua language available in vim plugins, so you can just read all the files on the disk that the user has access to, you don't need to make an lsp plugin.

Executing shell commands is also possible, yes. Reading the root password is not possible because that's handled by an external program (forgot the specifics on Linux), but you could technically present a fake password prompt, and steal that.