Fair, though with the CL/Python/Whatever you would have to have a session started before visiting the file. I suppose with the newer eglot and friends, it could reach out using LSP as soon as you enter a project directory? At that point, I'd assume similar attacks exist in those contexts, too? Maybe protected by some sandboxing in the LSP side?