I don't read the plugin's source for every release, but I do check its domain allowlist.
Because I can see it is forbidden from running on any domain I'm concerned about, I consider BPC safer to run than any plugin that works for "all domains".
Usually, I restrict any extension to be "click to activate" and that works just fine. There is often no need to have anything running on every domain and every website. So it does ultimately become a whitelisting situation of my own configuration.
The Nazis won't learn until the people of Minneapolis deal with them the way locals dealt with invaders in Afghanistan. There is another three-letter acronym starting with I that comes to mind.
[1] https://www.reddit.com/r/Minneapolis/comments/1qlpzu8/anothe...