Plugins are code more or less like any other PHP code, so they can do pretty much anything Omeka itself can do (and more).
Whether there’s a security “issue” really depends on the plugin.
I don’t think we have any official designation of a plugin as “unmaintained”: you can look at dates of releases to get an idea, but some plugins just don’t need any updates for a long time so that’s not a foolproof signal. Plugins by “Omeka Team” are written and maintained by the Omeka development team, others are by their respective listed authors.