One of the things that excites me most about developing apps is the enormous potential of plugins to extend an application. Xcode and NSBundle make it quite easy to implement too.
Unfortunately, loading external code can be quite risky, and, from what I've seen, there appears to be no built-in solution to help with this. Sure, you could be very careful about what objects you give the plugin access to, and it can't send your objects a method you don't publicly declare in the framework or header files that you make publicly available. However, there are plenty of classes in the Apple frameworks that any object, externally loaded or not, can get a shared instance of. Once it has one of these singleton instances, malicious code could possibly gain access to your data model and controllers through the accessors methods for the object's delegate. Even if it never gained access to your custom objects, it could still wreak havoc with an instance of, say, NSApplication or NSWorkspace. In addition, poorly designed, non-malicious plugins have freedom to do undesirable things like loading new windows and views without the host application's consent.
This is something I'd love to see Apple do something about. They could introduce a class called something like NSRuntime perhaps. This class could let objects ask for a notification to be posted whenever an externally loaded object sends a particular message or calls the method of a specified object. Additionally, the loaded objects could be forced to only communicate with a specified list of objects and or classes.
Of course, there are other solutions like letting other developers only create plugins with a special application (something in the vein of the iSync Plug-in Maker app) or by using a scripting language. However, I'd love to see Apple produce an elegant, cocoa solution to this (or maybe even a language feature of objective-c 3.0).
