The scary thing is that nowadays everything is backdoored. And developers/product owners can even don't know about it. Obsidian is an electron app, thus uses npm, and with npm we now get like at least one malicious package per month. If they have package autoupdate it's just a matter of time and effort for an attacker to plant something shady there. This could be simple crypto-stealer, or this could be a way to access people's personal vaults.