Presumably the attack vector is that someone malicious at Zed or VSCode could change the code in the server components to introduce a backdoor that could be used later.