I am developing a website for a client, and installed Joomla in a subdirectory on my website for development, and they have access to my ENTIRE website/directory that also includes other client subfolders with access to sensitive files that have passwords and other confidential information.
The plugin should AT LEAST be limited to the directory its installed in, not the entire root directory.
This is definitely not a security issue within eXtplorer, but within your Server/PHP-Configuration. If eXtplorer can have access to other directories, all other PHP scripts can do this as well.
Read more about it here: http://goo.gl/esC35