Some language servers / ecosystems run unsandboxed code by default. One example here is Rust's RLS and rust-analyzer servers because compiling dependencies may require calling build scripts or procedural macros. A malicious developer can create a repository that, when a language server is started for it, executes arbitrary malicious code on the developer's machine without any sandbox (or, best case, in Kate's sandbox if there's one). At the moment there's no nice way to use language server in trusted projects, but still be able to open a random cloned repository with Kate without this risk. Ideally a user should be able to open projects as untrusted by default, and only enable the language server if they mark the project as trusted. Notably, this mark should be local so that a malicious repository cannot mark itself trusted.
Update: I've been told that the list of enabled plugins is a per-session setting, so one way available today is to leave it disabled in the default session, but enable in sessions used for my projects. One problem with this is that currently opening a file externally (with "Open in Kate" or xdg-open) opens it in whatever session is currently open instead of starting an instance in default session.