KeePass has been audited and is broadly trusted.
There is a dedicated page about plugins and plugin security. This plugin is listed in the plugin directory of KeePass.

All accounts with write access to this repository are mandated to use two-factor authentication.

Release builds are configured to be deterministic. (Easily reproducible, since binary content is identical for the same input across compilations)
The corresponding Git commit can be read from the product version of the assembly. (e.g. 0.7.1+39ecaf0b99 identifies 39ecaf0b99)
Integrity hashes are available on the release page. (Since 2023-01)

KeePass queries the KeePass.version file for updates, but won't install any update automatically.
It is recommended to specifiy appropriate file permissions for the plugin directory so that non-admin users can't hijack the plugin.

Please use the private vulnerability reporting that GitHub provides.
I'll do my best to give a timely answer.

For .NET Framework vulnerabilites contact the Microsoft Security Response Center.