The right to write is good to check that a plugin don’t make dangerous write. But a malicious user can change that in its branch and write…
A possible solution is to mount the pluginRun from defaultBranch, but complexe scenarios where user want to try something in branch will be not possible.
Maybe check that the push user has the right to do what it try to do?
After too long debug it’s not possible to hack by modifying conf. We use always defaultBranch plugins conf.
I close this issue, but one day, user will want to try some conf in other conf before merge!